Guest Author
For the 300,000 people who call Leon County home, and the thousands who live in the surrounding areas, Tallahassee Memorial HealthCare (TMH) is a lifeline. As the only trauma center serving northwest Florida and southern Georgia, the hospital receives patients in dire medical situations. For those who depend on TMH, its orderly operation is literally a matter of life and death.
Despite the importance of the hospital to the health of northwest Florida, a cyberattack on Feb. 2, 2023 (which officials labeled an “IT security event”) forced the hospital to turn patients away and operate under “IT system downtime procedures.” These measures included shifting from electronic records to paper, canceling non-urgent surgeries, and diverting patients to nearby hospitals.
While hospital officials and law enforcement agencies remain quiet on the exact nature of the incident, it is widely believed to be a ransomware attack — where cybercriminals will encrypt files to prevent owners from accessing them until a ransom is paid. In 2022, it is believed around 290 hospitals in the United States were targeted by ransomware attacks.
Aside from the significant disruption the attack caused to those seeking medical care, it also highlighted the need for Florida lawmakers to continue crafting cybersecurity policies that ensure our state’s businesses and citizens are well-positioned to meet the growing threat posed by cybercriminals and nefarious digital actors.
For the most part, the state Legislature and Governor’s office have enacted legislation and pursued policies that have made Florida one of the most digitally secure states in America. In fact, in 2020, the Internet Association ranked Florida as the third most digitally secure state, behind California and Minnesota.
Florida’s status as one of the most digitally secure states is well deserved, thanks to good policy advanced by both the state Legislature and the Governor’s office.
As part of Gov. Ron DeSantis’ Framework for Freedom Budget, he requested the Legislature approve an almost $150 million appropriation for “security intelligence, modernization, training and resiliency.” This appropriation, the Governor claimed, was in response to the fact that as “cybersecurity threats continue to become more sophisticated, it is vital that both state and local governments have the tools necessary to protect critical public resources and sensitive information.” Such a significant appropriation comes on top of numerous grants awarded throughout 2022 to cybersecurity training programs, a critical step toward addressing the shortage of qualified cybersecurity workers in the state.
Additionally, the state Legislature has enacted legislation to make Florida a less appealing target for cybercriminals. Passed in 2022, Florida’s State Cybersecurity Act mandated the creation of a cybersecurity strategic plan, mandated cybersecurity training for state employees, and required cyber incidents involving state and municipal agencies to be reported within two days or immediately, depending on the sensitivity of the affected agency. Other legislation prohibited state agencies and municipalities from paying ransom after ransomware attacks, backed by the belief that the limited gains would disincentivize attacks.
While these investments and legislation have made Florida one of the most digitally secure states in America, there is still more that could be done.
First, the state and private industry must continue to modernize their IT infrastructure and train employees in best practices to keep their systems secure. Second, the state Legislature would be wise to enshrine a cyber incident safe harbor into law, like in Utah, that would provide an affirmative defense for entities that act in good faith but fall victim to cybercriminals. Third, and perhaps most importantly, the state must continue to make investments in cybersecurity training programs to ensure both public and private entities have access to a workforce who have the skills to protect Floridians’ data.
While these measures may not have prevented the attack on Tallahassee Memorial, they would have mitigated the severity of the attack, perhaps keeping hospital systems online and allowing the hospital to continue to receive patients and ensuring those who need critical care could access it without disruption. If anything, the cyberattack provides a clear message: while Florida leads the nation in cybersecurity, vulnerabilities continue to exist, and there is more that could be done to protect entities from cybercriminals.
After all, it’s not if there will be another cyberattack, it’s when.
___
Ed Longe is the director of the Center for Technology and Innovation at The James Madison Institute.
