Skip to main content
U.S. flag
An official website of the United States government

Hospital Resiliency

Landscape Analysis

The HPH Sector has faced dramatic increases in cyber-attacks intended to cause disruption to the care continuum. In response to this growing threat, the HHS 405(d) Program in partnership Health Sector Coordinating Council Cybersecurity Working Group (HSCC CWG), and the HHS’ Centers for Medicare & Medicaid Services (CMS) conducted Landscape Analysis, which reviewed active threats attacking hospitals and the cybersecurity capabilities of hospitals operating in the United States.
Hospital Resiliency Landscape Analysis
Study Objectives

This report aims to discuss the dramatic increases in cyber-attacks to the HPH Sector intended to cause disruption to the care continuum. The Landscape Analysis conducted a deeper investigative study into both the methods that cyber adversaries are using to compromise US hospitals, disrupt operations and extort for financial gain. It then benchmarked these results to specific practices of the Health Industry Cybersecurity Practices (HICP) in order to outline the most meaningful protections to these specific threats.

The study’s two objectives were:

  • To develop a clear understanding of the current cybersecurity capabilities and preparedness across participating U.S. hospitals, as well as their ability to combat cyber threats
  • To share the analysis and findings with the HSCC CWG for consideration as one of several inputs for informing prioritized cybersecurity practices for U.S. hospitals, as well as other considerations the U.S. government might undertake to improve U.S. hospitals’ cybersecurity resiliency
Threats Identified

The Landscape Analysis included a review of active threats attacking hospitals and the cybersecurity capabilities of U.S. hospitals. Included within the Landscape Analysis are the results of investigations into:

  1. The tactics and techniques that threat actors use to compromise hospitals
  2. The current state of participating hospital cybersecurity resiliency (using the Health Industry Cybersecurity Practices (HICP) as a framework).
Summary:
Threat Analysis

The assessment, based on the data sources used, identified numerous cybersecurity threats to U.S. hospitals such as:

  1. Ransomware and Ransomware-as-a-Service (RaaS) attacks
  2. Cloud exploitations by threat actors with data suggesting a 95% increase from 2021 to cloud exploitations cases
  3. Phishing/Spear-Phishing attacks, specifically those attacks that overcome MFA through social engineering
  4. Software and zero—day vulnerabilities
  5. Distributed Denial of Service attacks (DDos)
Threat Analysis – Key Take-aways
  • Human Directed Attacks make up 71% of attacks
  • Access Broker theft up 112% used by the human directed attacks
  • Time to move off initial intrusion point is 1 hour 28 minutes (this is the lateral movement off the originally compromised host to another state to obfuscate)
Data SetDemographic Background of Data
CHIME Data
  • 177 hospitals representing small (owning just 1 hospital)
  • 107 hospitals representing medium (owning between 2 and 5 hospitals
  • 87 hospitals representing large (owning more than 5 hospitals)
Censinet/AHA/KLAS Study
  • 59 small, medium and large hospitals (size measured by # of beds - using HICP), evaluating on coverage to the NIST CSF and 405(d) HICP, as well as organized benchmarking
2023 H-ISAC Threst Study
  • 11 notable threat actors profiled with descriptions of their tactics, techniques and procedures
  • 288 heapthcare executives surveyed to determine top threats
HC3 Threat Data
  • 2,224 healthcare specific cybersecurity incidents
  • Deep analysis of 33 FBI, CISA and HC3 Threat Analysis Reports
Verizon 2022 DBIR Report
  • 23,896 security incidents across a verity of sectors
  • 5.212 confirmed data breaches of the 23,896 incidents
  • 849 incidents and 571 confirmed data disclosure in the healthcare sector
Key Observations

The analysis from the two (2) quantitative studies combined with participating hospital conversations resulted in a series of 10 key observations:

  1. Directly targeted ransomware attacks aimed to disrupt clinical operations are an outsized and growing cyber threat to hospitals
  2. Variable adoption of critical security features and processes, coupled with a continually evolving threat landscape can expose hospitals to more cyber-attacks
    1. Adoption of MFA is taking place in over 90% of surveyed hospitals- why not 100%?
    2. 89% of the hospitals surveyed indicated that they were conducting regular vulnerability scanning at least on a quarterly basis
    3. 86% of the hospitals surveyed responded that their users are informed and trained on performing their cybersecurity related duties and responsibilities
    4. The delivery of in-home care, accelerated by COVID-19, is growing and expanding the cyber threat landscape
  3. Hospitals report measurable success in implementing email protections, which is a key attack vector
  4. Supply chain risk is pervasive for hospitals. Only 49% of hospitals state they have adequate coverage in managing risks to supply chain risk management
  5. Medical devices have not typically been exploited to disrupt clinical operations in hospital
  6. There is significant variation in cybersecurity resiliency among hospitals
  7. The use of antiquated hardware, systems, and software by hospitals is concerning
    1. 96% of small, medium, and large sized hospitals claim they were operating with end-of-life operating systems or software with known vulnerabilities, which is inclusive of medical devices.
  8. Cybersecurity insurance premiums continue to rise
    1. On average, cybersecurity premiums increased by 46% in 2021. Five of fifty-six hospitals surveyed in 2022 experienced increases more than 100%, whereas 32 experienced increases just below 35%.
  9. Securing cyber talent with requisite skills and experience is challenging
  10. Adopting HICP improves cyber resiliency

An interesting correlation that was uncovered during analysis was a strong connection between those who have adopted HICP and robust NIST CSF coverage. This indicates that organizations that focus on HICP Practices will gain value and benefit towards managing implementation of the NIST CSF cybersecurity framework.

NOTE: For the purposes of this study, the scope was narrowed to those activities that protect access to patient care and safety and reduce the negative impact of cyber threats on clinical operations. Breaches of sensitive data, although equally important, are not the focus of this study - unless the breach has a direct impact on patient care and safety

Correlation of HICP and NIST Coverage
Quantified Association of HICP Coverage
Landscape Analysis: HICP Practice Adoption
No Action Required - Significant Progress MadeUrgent Improvement NeededAdditional Research RequiredFurther Attention Required (Not Urgent)
  • E-mail protection systems
  • Endpoint Protection Systems
  • Identity and Access MAnagement
  • Network Management
  • Vulnerability Management
  • Security Operation Center and Incident Response
  • IT Asset Management
  • Network Connected MEdical Devices Security
  • Cybersecurity Oversight and Governance
  • Data Protection and Loss Prevention

The HICP Publications specifically address the above areas identified “urgent Improvement needed”.

Technical Volume 1 and 2 provides detailed information and guidance to assist your organization with your own review of your current state.

Industry Coverage of HICP

Based on the Censinet/AHA/KLAS Study 2023, on average, hospitals claim to have 72.05% of the HICP practicescovered, with email protection being the highest amount of coverage and medical device security being the lowest.

Detailed descriptions of the HICP 10 practices discussed in this publication can be found here: HICP Technical Volume 1 and Technical Volume 2
Click to here to read the full publication: Hospital Resiliency Landscape Analysis