By Matt Phillion
Healthcare organizations are prime targets for cyberattacks. Patient information represents a high-value proposition for hackers, and bad actors know how effective the threat of attacking patient data is. While organizations have turned their attention to the COVID-19 pandemic, numbers show that cyberattacks have not relented: According to FBI statistics, since March 2020 there has been a 400% increase in cyberattack complaints.
Changes in how medical care is provided has opened up a host of avenues for cyberattacks, with the rise of telehealth and more healthcare staff working remotely. But many of the challenges the industry faces are tied to problems that existed before the pandemic. Old systems, outdated policies, and unprotected Internet of Things (IoT) devices were issues healthcare facilities needed to address before the lockdown, and they’re still problems for many facilities today. Meanwhile, hackers get better and better at tricking workers and patients into giving up private information, making cybersecurity all the more challenging.
Heather Annolino, senior director of healthcare practice for Ventiv Technology, has been exploring how healthcare organizations can adopt better technology, policies, practices, and processes to protect patient information and defend against cyberthreats.
“Compared to other industries, the health systems have been slower to move forward in creating departments focused on cybersecurity,” says Annolino. “But often when looking at all the risks they’re trying to prioritize, cyberthreats are lower on the list than they should be.”
Prior to the pandemic, data breaches and other cyberthreats were hitting the healthcare world hard. But the advent of COVID-19 both introduced new challenges and accelerated existing ones. The World Health Organization wrote in April that they had seen a fivefold increase in cyberattacks targeting healthcare.
The first question we have to ask is: What is the appropriate response for hospitals and other organizations?
Cyberthreats are a disaster, like any other
Hospitals are constantly preparing for disasters—whether that means natural disasters, overloaded emergency departments, or even a pandemic response.
“Cyberattacks have to be considered one of those potential disasters,” says Annolino. “They should be doing drills so they can be prepared to manage what comes their way, just as they would with other disasters.”
The risk of cyberthreats became even more prevalent as, out of necessity during the pandemic, staff who could work remotely were urged to do so. This opened up more opportunities for risk.
“An increased digital adoption meant we had to ask: Were organizations prepared to handle the increase in network risks as more staff worked remotely?” says Annolino. “Did they have a crisis plan in place for these new threats?”
Like any other disaster preparedness program, healthcare should look for ways to bridge process gaps and identify security weaknesses. Annolino recently worked with a group that brought facility leaders across four states together to have a frank discussion about preventive measures for security breaches they could adopt with their budget and resources.
Prevention is a huge part of protecting against cyberthreats, not just in terms of technology or digital solutions, but in identifying gaps where human error can occur—similar to other risk analyses.
“One challenge is the education gap, where in large systems with turnover you’re constantly reeducating staff about cybersecurity,” Annolino says. “But there’s also unfortunately human error. Human error impacts patient safety, and the same can happen with cybersecurity.”
Busy, distracted workers are a prime target for security risks like phishing attacks. Phishing emails and messages are designed to trick users into providing information like usernames and passwords through clever, treacherous language. And busy workers, even ones who are trained to spot signs of a phishing attack, are apt to fall for one eventually.
“Making sure staff can quickly identify phishing risks is critical. But in the fast-paced environment of healthcare, that may not always be possible,” says Annolino. “This requires organizations to have ongoing training to teach staff how to prevent breaches. As nurses are not embedded in the security industry, providing constant insight into the latest methods used by hackers will reduce the chances of cyber risks.”
There’s a surprising overlap between patient safety and cybersecurity, and in how we approach both. “As we know, patient safety stories are important; that’s one way we can learn from our mistakes,” says Annolino. “I don’t think cybersecurity breaches are any different.” Stories help paint a bigger picture: an enterprise-level risk management view that many hospitals may not have taken yet.
Protecting patient data is patient safety
That story component can, and should, be used to help everyone understand that cybersecurity isn’t just a technology issue—it’s part of patient safety.
“You’re in the business of caring for patients. This is a patient safety issue,” says Annolino. “You’re protecting their data.”
Anyone who deals with patient data is one of its guardians, and staff should be aware of how precious hospital and patient data is. Personal health information is incredibly valuable to hackers, and bad actors can use that data in different nefarious ways. Not only can they access patient records in a ransomware attack, but by holding that patient data for ransom, they can increase the risk for patient errors.
Sometimes it sounds like science fiction—TV shows where hackers try to attack a world leader’s pacemaker come to mind—but if we can imagine it, hackers are thinking about it. And with more and more technology connected to the web, the attack vector for cyberattacks grows. It’s not just horror stories about stealing control of a medical device. Every time a physician uses their phone in a way that touches patient data, there’s additional risk.
IoT and wireless devices bring with them a range of additional concerns. Take a stolen or lost laptop, for example: Can the organization lock or wipe the machine remotely?
“Technology is only going to get more complicated. We need ways to protect the sensitive data and for identifying if anything is going outside the central system. This requires daily scans, monitoring, testing, and making sure security measures are working,” says Annolino. “Organizations should be testing their business continuity plans. It’s not just the potential for loss of data. It’s the potential for loss of life.”
An interesting side effect of the number of hospital and health system mergers in the past decade has been an increased threat surface for potential cyberattacks. Mergers connect disparate systems that organizations are trying to cohesively manage.
“That connectivity has expanded dramatically, which expands vulnerability,” Annolino says. “Key questions organizations need to ask include, ‘How do our systems talk to each other? And what gaps are there?’ ” And it will be even more critical for staff to receive education about the risks of not using proper care with technology.
Another challenge: Many hospitals are still on legacy systems. “They’re at least doing the patches, making sure they’re using the latest versions possible,” says Annolino. “But these are not easy, budget-friendly options to fix. We do need to think more forward with our budgeting in order to make sure we have the right antivirus, the right antimalware solutions, and that we’re doing regular backups and asking what would we do during disaster recovery.”
Backing up data isn’t enough anymore, either—hackers using ransomware will instead threaten to expose stolen data, posting it to the internet if a ransom is not paid. “Even though hospitals were trying to be smart about security, hackers were one step ahead,” says Annolino.
Thinking back to the way telehealth has expanded during COVID-19, now is an excellent time to reassess how that process is secured. Necessity required quick-fix systems to get patients and doctors talking to each other during the pandemic, but now that the dust has settled a bit, it’s time to make sure everything is in place to protect patient information in virtual visits as well.
“[Telehealth] won’t be going away,” says Annolino. “It’s amazing technology and helps with increasing care access for patients such as the elderly. It was rushed forward because of the crisis, but now we need to make sure it’s all in working order.”
Tips for staying ahead of the bad guys
When assessing cyber risk, one place to start is access. Who can get their hands or eyes on what data? “Even with a VPN or some other way of protecting access points, it’s important that access is based on job responsibility or job description,” says Annolino. Limiting access then limits the potential for loss or theft.
Thinking of cyber risks in a similar way as other risk management issues can go a long way to detecting threats as well as educating staff. Consider doing unannounced training for phishing to help staff better understand the kinds of attacks that may target them, either individually or as part of the larger organization. “It’s not intentional, but we can get tunnel vision,” says Annolino. By making the best practices for better cybersecurity second nature to staff, you can help eliminate some of the human error risks all organizations face.
Excellent cybersecurity in hospitals goes beyond just hiring a CIO or CISO. “Give those roles the resources they need,” says Annolino. This goes not just for larger organizations like healthcare systems or university hospitals. Critical access hospitals, urgent care clinics, freestanding clinics—all organizations can be targeted for attacks. And now, with the COVID-19 vaccine rolling out, additional vectors are appearing as pharmacies and other smaller locations handle patient data in new ways.
“Look to your home base first,” says Annolino. Hospitals are getting there, but as physician groups, ambulatory settings, and others become part of larger systems, they are also part of the larger organization’s cybersecurity domain.
Finally, consider making cybersecurity part of your overall incident reporting and management system. “Make sure you’re tracking cyber events there,” says Annolino, “not just what the cybersecurity team sees. How are you tracking your cyber events? This is a patient safety issue, and it’s not just about money, or about HIPAA compliance. You need to be tracking all of those events.”
Treat a cyber event like a patient error, says Annolino. There is a real impact on the patient when their data is stolen, and it can affect their care and treatment. “It’s important to really understand operationally what the event did to those involved.”
She notes, “There is so much information available on improving cybersecurity. Healthcare needs to seek those experts out to help address the accelerated need for more protection and more awareness.”
Matt Phillion is a freelance writer covering healthcare, cybersecurity, and more. He can be reached at firstname.lastname@example.org.