Cyberattacks continue to threaten health systems’ and hospitals’ security by compromising patient privacy and safety and causing financial damage. Understanding the sources of attacks on cybersecurity can help these organizations protect themselves against this threat.
The increased prevalence and interoperability of electronic health records, connected medical devices, internet of things (IoT) devices, and other connected technologies in health care have benefited patients by allowing for more coordinated care and more engagement with their healthcare providers. However, as the U.S. healthcare system becomes increasingly internet-based, it also will become more vulnerable to cyberattacks—often from unexpected directions.
For example, one hacker gained access to medical records at a hospital by hacking into the food services system. Healthcare data breaches cost, on average, $408 per record—the highest cost among all industries for the eighth straight year, and nearly three times higher than the cross-industry average of $148 per record. Cybersecurity attacks compromise patient safety and privacy, impact a hospital’s reputation and patients’ trust in the hospital, and can potentially cause significant financial damage.
Types of Cybersecurity Attacks
Insider threats are a large part of cybersecurity risks. According to one study, 58 percent of cybersecurity incidents in health care involve individuals employed by the health system. Insider threats can range from accidents (e.g., a lost laptop) and unknowingly clicking on a phishing link to purposefully selling or using personal health information for identity theft.
Ransomware represents another common form of cybersecurity risk. Ransomware is a type of software that cyberattackers use to take over a victim’s computer system and deny the user access to data unless the user pays a ransom, generally using cryptocurrency, to unlock the files. This year, there have been well-publicized ransomware attacks against healthcare organizations, such as Allscripts and LabCorp, with both attacks shutting down systems functionality for a week or more.
The proliferation of IoT devices and their use in health care is growing rapidly, providing hackers more endpoints to target health information. IoT devices can range from the 3.7 million clinical devices that collect and transmit data via online networks to devices like iPads and wearables, which may not be critical to care but have increasing access to patient data. In July, the National Institute of Standards and Technology (NIST) issued a report indicating that clinicians are increasingly bringing their own smartphones and other devices to use at work, which necessitates protection against both privacy violations and cybersecurity vulnerabilities.
The Food and Drug Administration also recently released an action plan for medical device safety to help inform both owners and users of potential vulnerabilities in their devices. The plan may be a helpful resource for hospitals and health systems looking to increase device security.
The increase of mergers and acquisition activity in the healthcare sector is another issue that raises cybersecurity concerns. When two systems merge and interconnect, IT integration challenges invariably arise. Different medical technologies and devices, along with the need to share information between newly-merged organizations, can create new vulnerabilities in systems.
Improving Cybersecurity Response
With the looming threat of expensive cyber-attacks, hospitals and health systems can face a variety of internal challenges in dealing with cybersecurity as an enterprisewide risk management issue rather than just an IT issue. Preventive planning is the main tool for protecting against cyberattacks in the first place, but some hospitals do not realize their current levels of due diligence put them at risk.
Proper staffing is key to advancing good cyber hygiene, defined as the individual behaviors used to appropriately protect and maintain IT systems and implement cybersecurity best practices. Many chief information officers are frustrated by lack of investment in personnel and infrastructure. Many CEOs and CFOs are reluctant to invest resources in an area with little direct return in the form of increased financial stability. However, cybersecurity investments in the form of hiring, infrastructure development, and crisis planning are critical to protecting delivery systems’ brand, reputation, and financial health.
Other preventive measures that hospitals may consider include training nonsecurity staff on effective cyber hygiene, which comprises a spectrum of habits, including performing effective end-point management (e.g., securing legacy medical devices and software systems), consistently backing up data, securing personal health information at the site of care, and recognizing and reporting phishing emails. Healthcare organizations should take inventory of what cyber hygiene habits they would like to focus on and improve to protect against cyber threats.
If a hospital is attacked, its ability to respond effectively can determine the severity, liability, and cost of the breach. In preventive planning, it is critically important to develop and exercise an emergency response plan that outlines policies, processes, and expectations in the event of a cyberattack and that ensures the right staff is in place and armed with the best tools and training to augment their work. A cybersecurity framework created by NIST and a discussion guide developed by the Centers for Disease Control are helpful tools that healthcare organizations can use to evaluate their cybersecurity infrastructure and develop effective response plans. h
As cyberattackers become more inventive and sophisticated, healthcare organizations must ensure that their cybersecurity infrastructures are keeping pace. Proper prevention against attacks requires attention and vigilance, just as responses in the event of an attack may require flexibility. Meaningful investment in cybersecurity will both offer financial returns and build confidence among staff and consumers that their digital protection is a priority.