Exclusive: New federal plan aims to stop hospital cyberattacks

The Cybersecurity and Infrastructure Security Agency is rolling out a new plan for health care organizations and hospitals trying to fend off an influx of ransomware and nation-state cyberattacks, an agency official first shared with Axios.

Why it matters: Hospitals and health care organizations have become prime targets for ransomware hackers who are eager to steal sensitive patient information and shut down critical services in order to get a payout.

• The Department of Health and Human Services (HHS) has estimated that more than 61 million people's medical data has been exposed in attacks since January, per the Wall Street Journal.

Driving the news: CISA released new mitigation guidelines Friday for health care and public health organizations that detail how the sector can tackle a wide-array of cyber priorities, from basic cyber hygiene to advanced encryption standards.

Details: The agency is recommending that organizations implement multi-factor authentication for all login credentials, take inventory of what assets are on their online networks and be mindful of which employees have access to sensitive data.

• The document also provides tips for better encrypting sensitive information and spotlights the top vulnerabilities hackers are using to attack hospitals and health care organizations, including the Log4j open-source flaw and a long-known security flaw in Microsoft Exchange.

The big picture: CISA and lawmakers have recently placed a greater emphasis on helping health care organizations after years of devastating cyberattacks targeting the sector.

• The new document doesn't add to that existing advice, but instead attempts to create one central resource for health care cybersecurity professionals, Nitin Natarajan, deputy director of CISA, told Axios.

What they're saying: "We're in a much different place now where [the health care industry] sees themselves as targets for a combination of both cyber terrorist, cyber criminals and nation-states," Natarajan, who is also a former HHS official, said.

• Hospital officials understand the scope of the problem now, Natarajan said. "That's also what I think makes the timing of this type of guidance more important," he added.

Between the lines: The document provides a clear roadmap for often overwhelmed, understaffed health care IT teams to follow to improve their security posture.

• Much of the report also includes practical advice for how to implement certain programs and which cyber risks are most threatening to the industry — rather than just laying out the problems.

Zoom out: Establishing one set of guidelines for the health care sector was a tricky task for CISA considering how varied companies in the space are.

• The agency had to account for the needs of smaller, rural hospitals that lack funding, as well as mega-hospital systems in major cities, telemedicine providers and medical technology providers.

Yes, but: Like most of CISA's work, the new guidance is voluntary for hospitals and health care organizations.

The intrigue: The report doesn't mention how generative AI could exacerbate cyber threats against health care organizations.

• CISA is recommending that employees be wary of emails with misspellings and grammar mistakes now that those traditional tell-tale signs of a phishing email are resolved by ChatGPT and other generative AI tools.
• However, CISA and the health care sector are still paying attention to AI's impact, Natarajan said.
• "From CISOs all the way through CEOs, they are having those discussions internally to what AI looks like in their sector," he added. "We want to learn from them, and then we want to use that to help guide what our recommendations should look like."