No Firm Answers With A Long Road Ahead
One errant click on an email can shut down a hospital. If you don’t believe me, just ask the hospitals that have had a cybersecurity attack over the last several years. These haven’t been small hospitals, but notable health systems and national hospital operators.
In fact, healthcare has become a favorite of ransomware attacks, data breaches and the focus of hackers worldwide. Last month alone, the Wannacry attack impacted 150 computers and more than 300,000 computers worldwide. While that was a worldwide attack on many industries, it hit healthcare hard, affecting 16 hospitals across the UK and leaving many of those hospitals without access to patient records. In one case, a UK hospital had to cease all non-emergent operational capabilities for a while, which meant an impact to patient care.
Healthcare in the U.S. and abroad is viewed as one of the most vulnerable industries for cybersecurity threats. Health IT systems are extremely susceptible and the data they contain – patient records – was once valued higher on the black market than individuals’ financial data. Now, hackers and intruders have moved to ransomware – locking down a healthcare organization’s IT systems and requesting a “ransom” to restore access. And these attacks range from being highly sophisticated to simple email phishing that start with an innocent enough looking email.
It’s not just software or IT systems that can be hacked. Medical devices, not usually thought about as being open to attack, have also been known to be extremely exposed because these devices connect to a range of sensors and monitors. When hacked, medical devices become extremely personal to the patient in most cases, especially with implanted devices like pacemakers. Medical device cybersecurity is so important that the FDA released a fact sheet explaining its responsibilities related to cybersecurity.
Two years in the making and born out of the Cybersecurity Act of 2015, the Health Care Industry Cybersecurity Task Force released a report to Congress – Improving Cybersecurity in the Health Care Industry – with six imperatives specifically designed to address this challenge:
- Define and streamline leadership, governance, and expectations for health care industry cybersecurity.
- inrease the security and resilience of medical devices and health IT.
- Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
- Increase health care industry readiness through improved cybersecurity awareness and education.
- Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure.
- Improve information sharing of industry threats, weaknesses, and mitigations.
The report addresses a range of topics, but stresses the need for balancing the collection of data with the overwhelming need to secure systems, medical devices and data itself. There are many challenges identified in this report, including the IT resources within healthcare organizations, many of which operate at extremely low margins.
While these may seem like attacks on computer systems and devices attached to a bunch of wires, healthcare cybersecurity is truly targeted at limiting a healthcare organization’s ability to conduct business normally and effectively. This puts patients’ lives at risk and causes other such issues as stressing a healthcare provider’s financial viability to patient dissatisfaction and distrust.
It’s a chaotic enough time in healthcare. When cybersecurity is factored in, the challenges are even more demanding and difficult to overcome. Finding answers to escape the healthcare cybersecurity chaos are all too important. Our lives depend on it.
Join TN HIMSS on June 22 for the first of a two-part panel discussion on cybersecurity in healthcare and how to mitigate risks, prevent attacks and be prepared. An outstanding panel of healthcare CISOs and government officials have been convened to provide deep insight into this timely topic. More information can be found at: http://tnhimss.org/events-3/hit-cybersecurity-series/.