U) Helping Hospitals Improve Resilience to Ransomware

The Federal Bureau of Investigation received more reports of ransomware attacks on organizations in the healthcare and public health sector in 2022 (the most recent year available) than for any other critical infrastructure sector, with the number of attacks rising in the two years since then. [...] For example, Change Healthcare, the insurance claims processing system that processes 50 percent of all medical claims in the US, was hit by a ransomware attack on February 21, 2024, disrupting the ability of medical providers across the country, including those of many hospitals, to make insurance claims and get paid. [...] Hospitals need support to develop incident response plans that cover cyber-specific considerations, including the following: • An examination of potential cyber threats and levels of disruption (from minor inconveniences to a complete disruption of operations) • A thorough review of the hospital’s mission critical functions and the resources (people, tools, facilities, and systems) needed to accom. [...] Hospitals and healthcare organizations will need guidance and assistance in developing and exercising a cyber-incident response plan from a partner who understands both the needs of the healthcare industry and the unique challenges presented by a cyberattack. [...] CNA is a nonprofit research and analysis organization dedicated to the safety and security of the nation.