The Department of Homeland Security has ordered that all federal agencies remove Kaspersky Lab software from their computer systems in the next 90 days, a decision that could ripple down into the healthcare industry, cybersecurity experts say.
Kaspersky, a Russian security software company that has more than 1,700 healthcare customers in North America, is being investigated by the FBI for ties to Russian security services, which can require Kaspersky to help with Russian intelligence services. There is a risk that these actions could "compromise federal information" and threaten U.S. national security, according to DHS.
Kaspersky has more than 5,000 healthcare customers around the world, a small but important sliver of its over 400 million users.
The U.S. federal ban on Kaspersky products is "extreme," said Richard Henderson, a global security strategist with cybersecurity firm Absolute.
"If the ban sticks, I think we can expect a lot of healthcare organizations to err on the side of caution and replace Kaspersky products with others," he said. "The unquantifiable risk for hospital CISOs is too great to ignore."
Healthcare chief information security officers, others involved in cybersecurity, and even those who don't usually focus on security, such as employees of small practices, will have to dedicate time and money to finding replacements, said Mac McMillan, president and chief strategy officer of CynergisTek. Eventually, "all of the district hospitals and organizations that are related to any government program like Medicare and Medicaid are going to move away from Kaspersky," he said.
The move isn't as simple as replacing one piece of security software with another, McMillan said, since Kaspersky software can be embedded in non-security applications, like radiology systems.
Even if the ban doesn't remain permanent, the damage is already done to the Kaspersky name, McMillan said.
"There's always going to be some level of distrust," he said. "The ban is not trivial. For the government to make this decision, it must be really concerned. These decisions are not taken lightly."
Earlier this summer, U.S. security officials said they wouldn't be comfortable with their agencies running Kaspersky software, and lawmakers called for a ban on Kaspersky products in the Department of Defense. In response, Kaspersky released a statement saying that the company and its founder "do not have ties to any government."