The healthcare industry’s digital systems and devices are under attack as never before.
This year, numerous hospitals across the United States have been the victims of so-called ransomware—malicious software that blocks access to a computer system until a sum of money is paid. For example, the Hollywood Presbyterian Medical Center in Los Angeles paid a $17,000 ransom in bitcoin to a hacker who seized control of the hospital’s computer systems and would give back access only when the money was paid.
There is also growing concern that medical devices such as insulin pumps, pacemakers, fetal monitors and scanners are vulnerable to hacking.
The role of technology in healthcare has never been greater. New and increasingly mobile technologies, coupled with the growing complexity of the Internet of Things (IoT), enable healthcare professionals to engage patients in their own care, support clinical relationships and provide bigger and better data for more effective planning and decision making. Yet putting IT at the heart of care increases the risk of data breaches, as recent high-profile public- and private-sector incidents have demonstrated.
“Cyberattacks are now a huge headache for healthcare IT management,” says Jonathan Lee, the UK Healthcare Sector Manager for UK-based security software company Sophos. “It’s a real challenge to keep control of device data and functionality without compromising care.”
While most healthcare management professionals are aware of cyberattack dangers, there is a general consensus that today’s medical facilities remain highly vulnerable.
“I don’t think hospital IT people have underestimated the threat, but many do not know where or how to begin protecting themselves,” says Robert Maliff, Director of the Applied Solutions Group at the ECRI Institute, an independent nonprofit organization that researches approaches to improving patient care.
Medical devices with data ports are located in unprotected areas like patient rooms.
“There are numerous attack points in hospitals,” continues Maliff. “Medical devices with data ports are located in unprotected areas like patient rooms. They also continue to run obsolete operating systems with next to no digital security in place.”
In the face of increasingly sophisticated threats, healthcare-specific security solutions must evolve to address the clear and present danger.
“It’s not enough to keep throwing disparate products at the problem any more,” says Sophos’s Lee. “We need products that can communicate and share intelligence so they can better respond to multi-vector threats.”
Basic Steps to Bolster Defenses
A growing number of cyber-criminals are now shifting their aim away from the relatively well-protected banking and commercial sectors toward the sitting duck that is healthcare. Going forward, the number of attacks on hospitals and other healthcare providers is likely to increase. “With ransomware continuing to be big news, the threat is not only significant, but also intensifying,” says Steve Mulhearn, Director of Enhanced Technologies at the California cybersecurity software company Fortinet.
While many medical facilities remain exposed, a number of basic steps often can be taken to bolster defenses. Many of these measures are inexpensive and simple common sense.
Perhaps the single most important step hospitals can take is to routinely back up data. This removes one motivation for hackers to attack. Many organizations end up paying ransoms simply because they haven’t made copies of their most important systems and files.
It’s also important to keep software up to date. “Be sure to enable automatic updating on all security software and operating systems,” says Lee. “Where possible, mobile devices and apps must be updated too.” Exposed systems often can be given an extra layer of protection with multi-factor authentication. This means that even if cyber-criminals obtain system passwords, they are still prevented from accessing the most critical data. “Two-step verification is good—think SMS codes. Two-factor authentication is best—think hardware tokens or biometrics,” says Lee.
In a digital world where malicious software abounds, and where phishing emails are more convincing than ever, healthcare employees should always connect with care. “Be suspicious of all emails containing attachments or links,” cautions Lee. “Especially ones that urge you to act right away. Take time to spot anything that looks odd and always verify those communications.”
Healthcare workers are increasingly on the move. As their mobile devices proliferate, security questions should not be underestimated. The multi-faceted challenge of cyberattacks means hospitals and their security suppliers must work hand-in-hand to minimize risk.
The single most important step hospitals can take is to routinely back up data.
While factors such as the engagement of digital security specialists and comprehensive employee training can be vital, this clearly involves a significant investment of time and money.
“Hospitals are waking up to the cyber threat, but the vast majority have budget constraints,” says Sophos’s Lee. “There is now a move toward cost-saving models such as the consolidation of IT security services and the pooling of financial resources and technical expertise. Such shared services offer many healthcare providers the best option for delivering effective protection across all service areas.”