Some U.S. hospitals are falling short in protecting themselves from cyberattacks, with 29 percent of facilities recently surveyed lacking a documented governance, risk, and compliance (GRC) system, a new report from the Department of Health and Human Services (HHS) found.

The report, released Monday, is a forerunner to the creation of new policy requirement practices at hospitals, with guidelines aimed at the protection of patient data. The frequency and complexity of cyberattacks on hospitals is increasing and includes attacks that have resulted in weekslong shutdowns of imaging and laboratory equipment, the HHS said.

Because of the drastic impact such shutdowns can have on patients, especially critically ill people, the Federal Bureau of Investigation now considers attacks on hospital systems “threat-to-life” crimes, the report said.

The HHS used the report to “better identify the biggest threats facing hospitals and assess their cybersecurity capabilities relative to commonly accepted cybersecurity practices,” the agency’s deputy secretary, Andrea Palm, said. The HHS anticipates the report will be a reference document for operational actions and policy considerations.

The report, which drew on two analyses of threat data pertaining to hospitals, two surveys of more than 400 hospitals total, and in-depth interviews with 20 hospitals, found attacks meant to harm hospitals have increased 50 percent since 2021. The largest threat is ransomware attacks.

Attackers are motivated by money, state-sponsored espionage, hacktivism, or degrading public trust, the report said.

While 89 percent of hospitals surveyed regularly assess their vulnerability to cyberattacks, just 53 percent said they have documented plans for addressing their vulnerabilities, the report found.

Only 71 percent of hospitals rely on GRC systems, which help organize controls related to policies, risk assessments, and registers, the report said.

Hospitals are leaving themselves vulnerable to cyberattacks by inconsistently requiring multifactor authentication (MFA). While 90 percent of hospitals surveyed rely on MFA for email and other accounts, data indicates just 84 percent of virtual private networks incorporate MFA, along with only 88 percent of email systems, the report found.

The report “provides us with a platform to begin working through potential policy considerations and minimum standards to better support cybersecurity in U.S. hospitals,” said Palm in a press release.

The HHS created on-demand video and other media trainings in five security-related topic areas for hospitals to use to increase their knowledge of the subjects. The topics include social engineering; ransomware; loss or theft of equipment or data; accidental, intentional, or malicious data loss; and attacks against network-connected medical devices.

The agency also said it updated its guidebook, “Health Industry Cybersecurity Practices 2023.”

Adrianne Appel writes regulatory news, policy, and trends for Compliance Week. She previously reported about policy developments for Bloomberg Law and Bloomberg Government.

Topics