It’s become painfully obvious that cybersecurity is critical to enabling clinicians to provide quality care to their patients. This week, a hospital in Illinois is closing its doors after a devastating ransomware attack. Recent cyberattacks against CommonSpirit Health compromised the personal data of over 600,000 patients, while Tallahassee Memorial Healthcare had to send emergency patients to other hospitals after their operations were taken offline. These disruptions can lead to delayed care as patients must travel to another hospital or physicians must rely on low-tech ways to deliver care. A recent NPR report highlighted how a hospital in Indiana had to revert to pen and paper instead of digital files and find runners to shuttle test results from lab to office.
Unfortunately these are not uncommon incidents. Last month, 1 out of every 44 organizations across the United States were impacted by ransomware attacks. Healthcare organizations continue to be among the top 3 most impacted industries. Last year, the healthcare industry experienced a 78% year-on-year increase in cyberattacks, with an average of 1,426 attempted breaches per week per organization.
It cannot be overstated that in healthcare, cyberattacks are a matter of life and death. In fact, a survey conducted by the Ponemon Institute found that more than 20% of healthcare organizations reported an increase in patient mortality rates after experiencing a breach.
Why do cyber criminals target healthcare?
Healthcare is essential and it contains troves of sensitive medical data. For cyber criminals, breaching a healthcare organization provides access to that sensitive medical data which can be held for ransom and the guarantee of media coverage and notoriety for the hacker. Both factors put victims under immense pressure, increasing the likelihood that a high ransom fee will be paid.
The healthcare sector is vulnerable for several reasons. First, the increasing sophistication and quantity of cyberattacks is not a threat these organizations are set up to deal with. Many hospitals rely on a blend of old and new technologies, most of which are either not directly managed or forgotten due to improper documentation. This problem has only increased over time as more Internet of Things (IoT) and medical devices are added, despite rarely being built securely by design. The current cybersecurity skills shortage also means there’s a lack of expertise to help manage this widening attack surface. Add these factors together, and cyber criminals see a high value target with a large threat surface and many potential points of entry.
Patients deserve quality care that sustains strong physical, intellectual and emotional health outcomes. The protection of their healthcare data is a component of that. A cyber attack has the potential to affect a given individual’s or population’s physical health, and it may cause social and emotional difficulties should personal information become compromised and find its way into public view. In fact, patients are currently suing One Brooklyn Health after the organization was breached by cyber criminals who leaked patient data. The patients are concerned that they are now at greater risk for fraud, identity theft, misappropriation of health insurance benefits and more.
The Good News
Recently, the FDA announced new guidelines to secure medical devices against cyberattacks. Manufacturers of connected medical devices — Internet of Medical Things (IoMT) — now need to submit a plan detailing how they will monitor, identify and address cybersecurity issues, in addition to providing “reasonable assurance” that the device is protected. Ensuring that IoMT devices are secure by design adds an extra security layer, easing the burden on healthcare CISOs and IT leaders. These new regulations are a strong step in ensuring that manufacturers build in security features by design, which will make it easier for healthcare organizations to implement them.
Three actions to prevent cyberattacks from disrupting the healthcare workflow
- Culture: Establish secure-mindedness in every aspect of the patient journey. Educating the staff on why cybersecurity is important and their role in protecting patients through good information security practices should become as second nature to the healthcare organization as maintaining hygienic conditions. Cybersecurity education and training must be frequent and ongoing in order to instill a secure-minded culture.
- Endpoint protection: A single user in the healthcare system may have multiple endpoints from which they access and transmit electronic health information. Even medical devices themselves transmit data. Prevention-first endpoint protection includes a multi-layered approach encompassing the following capabilities: anti-phishing, anti-ransomware, anti-bot, content disarm and reconstruction (CDR), and automated post-detection, remediation, and response. The U.S. Department of Health and Human Services (HHS) provides actionable guidance on the safeguarding of electronic protected health information.
- Access control (zero trust model): By simply cutting back on who has access to healthcare data, organizations can prevent a cyber attack from being successful. Zero trust enables healthcare organizations to enforce policies of least privilege, in which they grant the least amount of credentials necessary for the tasks required. Every level of data should be accessed on a need-to-know basis in order to reduce the number of chances of unauthorized access.
In recent conversations with healthcare CISOs, the desire for understanding how to secure the health of everyone, everywhere, with certainty, was clear. The conversations are ongoing and there is a strong culture of collaboration in the industry, with sharing best practices and lessons learned for taking action. We understand the importance of good health and remain dedicated to protecting our healthcare institutions and providers.
By taking a prevention-first approach to protecting hospitals, providers and patients, we can stop the disruption and destruction from happening. Clinicians shouldn’t have to worry about whether they will be able to access digital medical records or whether they can rely on their medical instruments. Focusing on improving care outcomes with patients is already a big task. As physicians often say, an ounce of prevention is worth a pound of cure.