HAP's Latest News

Report: Hospitals ‘Broad Target’ for Cybersecurity Threats

July 07, 2021

A recent report from the federal Office of Inspector General (OIG) evaluated the oversight process to prevent cyberattacks at hospitals and the need for continued vigilance to protect sensitive patient information.

“As health care delivery becomes more reliant on technology, cyberattacks on hospitals continue to increase,” the report notes. “Hospitals represent a broad target for cyberattacks, and attackers could gain access to a hospital’s entire network via a hacked device.”

The OIG report assesses the government’s role to oversee the vast array of devices connected to a hospital’s network (such as electrocardiogram systems and other patient monitoring technology), and the potential for those devices to serve as points of entry for cybercriminals to access sensitive information. One expert in the report estimates that a large health network could have as many as 85,000 medical devices connected to its network.

“Although they are distinct from hospitals’ electronic health record (EHR) systems, these devices may connect to the same network as a hospital’s EHR system, and thus can be connected to the EHR system as well as to other devices on the same network,” the report said. “As a result, networked devices that lack proper cybersecurity may have vulnerabilities that could lead to adverse outcomes.”

Among the key takeaways from the OIG report:

  • Protecting devices:  Safeguards to protect networked devices from cyberattacks can fit within hospitals’ overall cybersecurity framework
  • A spike in cyberattacks:  During October 2020, federal agencies warned of increased ransomware attacks on hospitals, and there has been a 45 percent increase in attacks against health care organizations since that warning
  • Addressing oversight:  The OIG report recommends that the Centers for Medicare & Medicaid Services (CMS) update its survey and oversight process specifically to address cybersecurity of networked medical devices

In a statement, CMS said it was evaluating “additional ways to appropriately highlight the importance of cybersecurity of networked medical devices” in consultation with other federal agencies.

HAP’s emergency management team continues to monitor the latest developments in cybersecurity and will continue to provide guidance to members. The American Hospital Association also offers resources and legislative updates about this important issue.

For more information, contact Chris Chamberlain, MS, RN CHEP, HAP’s vice president, emergency management, or Jason Tomashunas, HAP’s manager, emergency management.