Why the Biden-Harris Administration’s New National Cybersecurity Strategy Is an Important Step Forward for Health Care
Over recent months, increasing ransomware attacks and other cybersecurity threats in the health care field have underscored the critical need for hospitals and health systems to defend against malicious actors. Health care possesses a unique combination of highly targeted data sets that makes it a prime target by cyber adversaries.
Ransomware Impacts and Cyber Defense Challenges
During my testimony to the U.S. Senate in December 2020, I pointed out that a ransomware attack could interrupt patient care, or worse, shut down operations at the facility, thereby putting patient lives, and the community, at risk. Cybersecurity vulnerabilities and intrusions can also negatively affect a health care organization’s reputation.
Many hospitals and health systems recognize that they must view cybersecurity not as a novel or IT-only issue but rather as an enterprise risk — so they are striving to make cybersecurity part of their existing governance, risk management and business continuity framework as part of their efforts to elevate their vigilance against growing and more sophisticated cyberthreats. Yet, as they face dire workforce shortages and financial challenges exacerbated by the pandemic, enhancing their cyber defenses can be quite a struggle.
Call for Help
That is why in 2020 I called upon the Senate to expand public-private partnerships and cross-industry efforts to share threat information, and to step up to defend the nation’s hospitals and health systems from cyberattacks. After all, hospitals can only do so much on defense when foreign-based adversaries sheltered by hostile nation-states attack them. We also need a robust offense by the U.S. government to go after bad actors.
Administration Takes Action
For this reason, I commend the Biden Administration on its National Cybersecurity Strategy, announced March 2, 2023, which is aimed at shifting cyber defense responsibilities, improving cyber resilience and disrupting cyberthreat operations. The Strategy acknowledges that private sector efforts alone are insufficient to counter the significant cyberthreats we face as a nation.
We at the American Hospital Association (AHA) are pleased that the Strategy includes several important ideas we fully support, including:
- Declaring ransomware attacks as a national security threat.
- Conducting more offensive operations against cyberthreat actors.
- Implementing software security requirements for software developers.
I am also proud of the FBI’s actions in defending hospitals and health systems from cyberattacks. Recently, for example, the FBI took down the Hive ransomware gang, whose criminal enterprise threatened patient safety. To hear the dramatic story, listen to my podcast interview with the FBI supervisor in charge of the Hive investigation.
The AHA Continues to Support Health Care Cybersecurity Efforts
The AHA will continue to work with the hospital field, Congress and the Administration, and other stakeholders to advance and adopt cyber policies that are streamlined, effective and feasible to implement.
And, as the AHA’s national advisor for cybersecurity and risk and a former FBI cyber executive, I want you to know that I provide a variety of cybersecurity offerings to advise and assist health care organizations like yours in mitigating the many cyber and physical risks you face. View the many places I’ve traveled over the past two years as part of my work with AHA members, hospital associations and government officials.
Plus, learn how the exclusive, highly vetted panel of service providers in our AHA Preferred Cybersecurity Provider (APCP) Program can help your organization prepare for, prevent and respond to today’s pressing cyberthreats.