How To | Technology

Protecting Against Cybersecurity Threats

How To | Technology

Protecting Against Cybersecurity Threats

With the increasing sophistication of cyberattacks in health care, hospitals and health systems must make sure they have effective cybersecurity infrastructures to protect themselves and their patients from such attacks.

Cyberattacks continue to threaten health systems’ and hospitals’ security by compromising patient privacy and safety and causing financial damage. Understanding the sources of attacks on cybersecurity can help these organizations protect themselves against this threat.


The increased prevalence and interoperability of electronic health records, connected medical devices, internet of things (IoT) devices, and other connected technologies in health care have benefited patients by allowing for more coordinated care and more engagement with their healthcare providers. However, as the U.S. healthcare system becomes increasingly internet-based, it also will become more vulnerable to cyberattacks—often from unexpected directions.

For example, one hacker gained access to medical records at a hospital by hacking into the food services system. Healthcare data breaches cost, on average, $408 per record—the highest cost among all industries for the eighth straight year, and nearly three times higher than the cross-industry average of $148 per record. Cybersecurity attacks compromise patient safety and privacy, impact a hospital’s reputation and patients’ trust in the hospital, and can potentially cause significant financial damage.

Types of Cybersecurity Attacks

Insider threats are a large part of cybersecurity risks. According to one study, 58 percent of cybersecurity incidents in health care involve individuals employed by the health system. Insider threats can range from accidents (e.g., a lost laptop) and unknowingly clicking on a phishing link to purposefully selling or using personal health information for identity theft.

Ransomware represents another common form of cybersecurity risk. Ransomware is a type of software that cyberattackers use to take over a victim’s computer system and deny the user access to data unless the user pays a ransom, generally using cryptocurrency, to unlock the files. This year, there have been well-publicized ransomware attacks against healthcare organizations, such as Allscripts and LabCorp, with both attacks shutting down systems functionality for a week or more.

The proliferation of IoT devices and their use in health care is growing rapidly, providing hackers more endpoints to target health information. IoT devices can range from the 3.7 million clinical devices that collect and transmit data via online networks to devices like iPads and wearables, which may not be critical to care but have increasing access to patient data. In July, the National Institute of Standards and Technology (NIST) issued a report indicating that clinicians are increasingly bringing their own smartphones and other devices to use at work, which necessitates protection against both privacy violations and cybersecurity vulnerabilities.

The Food and Drug Administration also recently released an action plan for medical device safety to help inform both owners and users of potential vulnerabilities in their devices. The plan may be a helpful resource for hospitals and health systems looking to increase device security.

The increase of mergers and acquisition activity in the healthcare sector is another issue that raises cybersecurity concerns. When two systems merge and interconnect, IT integration challenges invariably arise. Different medical technologies and devices, along with the need to share information between newly-merged organizations, can create new vulnerabilities in systems. 

Improving Cybersecurity Response

With the looming threat of expensive cyber-attacks, hospitals and health systems can face a variety of internal challenges in dealing with cybersecurity as an enterprisewide risk management issue rather than just an IT issue. Preventive planning is the main tool for protecting against cyberattacks in the first place, but some hospitals do not realize their current levels of due diligence put them at risk.

Proper staffing is key to advancing good cyber hygiene, defined as the individual behaviors used to appropriately protect and maintain IT systems and implement cybersecurity best practices. Many chief information officers are frustrated by lack of investment in personnel and infrastructure. Many CEOs and CFOs are reluctant to invest resources in an area with little direct return in the form of increased financial stability. However, cybersecurity investments in the form of hiring, infrastructure development, and crisis planning are critical to protecting delivery systems’ brand, reputation, and financial health.

Other preventive measures that hospitals may consider include training nonsecurity staff on effective cyber hygiene, which comprises a spectrum of habits, including performing effective end-point management (e.g., securing legacy medical devices and software systems), consistently backing up data, securing personal health information at the site of care, and recognizing and reporting phishing emails. Healthcare organizations should take inventory of what cyber hygiene habits they would like to focus on and improve to protect against cyber threats.

Event Response

If a hospital is attacked, its ability to respond effectively can determine the severity, liability, and cost of the breach. In preventive planning, it is critically important to develop and exercise an emergency response plan that outlines policies, processes, and expectations in the event of a cyberattack and that ensures the right staff is in place and armed with the best tools and training to augment their work. A cybersecurity framework created by NIST and a discussion guide developed by the Centers for Disease Control are helpful tools that healthcare organizations can use to evaluate their cybersecurity infrastructure and develop effective response plans. h

Summing Up

As cyberattackers become more inventive and sophisticated, healthcare organizations must ensure that their cybersecurity infrastructures are keeping pace. Proper prevention against attacks requires attention and vigilance, just as responses in the event of an attack may require flexibility. Meaningful investment in cybersecurity will both offer financial returns and build confidence among staff and consumers that their digital protection is a priority.

Footnotes

h. National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity, Feb. 12, 2014; Centers for Disease Control and Prevention, Healthcare Organization and Hospital Discussion Guide for Cybersecurity, August 2016.


David Lee, JD, is a director at Leavitt Partners LLC, Salt Lake City.

Jenna Jackson is an associate, Leavitt Partners, LLC Salt Lake City.

About the Authors

David Lee
JD
Jenna Jackson

Advertisements

Related Articles | Technology

Column | Technology

Crossing the chasm on digital transformation 

A new focus on digital strategies necessitates meaningful new partnerships in the C-suite.

Executive Perspective | Social Determinants of Health

COVID-19 magnifies impact of SDOH on U.S. healthcare system

Population health management expert Jenifer Leaf Jaeger, MD, MPH, examines why the COVID-19 pandemic has made it more critical than ever for the U.S. providers to address the needs of people whose health and well-being are compromised by social determinants of health.

How To | Financial Sustainability

Financial Sustainability Report: December 2020

The December 2020 Financial Sustainability Report, sponsored by Kaufmann Hall, examines hospitals’ and health systems’ growing imperative, driven by COVID-19, to pivot their OR strategy to the ambulatory care arena. Other content explores new initiatives focused on SDOH and new opportunities to reduce costs of physician credentialling through collaboration enabled by distributed ledger technology.

Fact Sheet | Technology

Prior Authorization and APIs for Medicaid, CHIP and QHPs Proposed Rule Summary

HFMA presents a detailed summary of the proposed rule published by CMS, which aims to improve the electronic exchange of health care data and streamline prior authorization by building on previously adopted requirements pertaining to Application Programming Interfaces.