Hospital and health system chief information security officers are no longer simply worried about the possibility of an employee clicking on a spam email or link as part of a phishing attack, no matter how common these instances still are today. Rather, ransomware attacks, internal threats and device vulnerabilities continue to plague hospitals, with no signs of stopping.
In the past decade, ransomware attacks, and the damage they wreak on hospitals and health systems, have dominated news coverage. Last year, Simi Valley, Calif.-based Wood Ranch Medical Center announced that they would close in December after a ransomware attack caused the medical clinic to lose access to patients' medical records. The city of Baltimore has asked for nearly $20 million to recover from a ransomware attack. Those hackers demanded $7 million, which the city did not pay, in return for decryption codes. Many hospital and health system leaders agree that the presence and sophistication of ransomware attacks is the most-pressing cybersecurity threat.
"I consider the current ransomware attack methods to be the largest threat. They have evolved from enticing people to open corrupt email attachments to active probing of corporate, municipal and healthcare networks," said Indianapolis-based Indiana University Health CISO Mitch Parker.
"This has allowed attackers to actively search for and detonate ransomware in critical locations at specific times to cause maximum impact. It's also permitted attackers to exfiltrate data and threaten to publicly publish it," he continued.
Cybercriminals threatening to publish the data if organizations do not pay a ransom is a real threat. Hackers using Maze ransomware infected 231 stations from Medical Diagnostic and are threatening to publicly disclose the data on the computers if the company does not pay the $1.7 million ransom, which MDLabs has refused to pay.
Not all hospitals and medical centers, particularly small, independent hospitals, however, have the budgets to allocate a significant amount of money toward cybersecurity efforts. Rather, they rely on training employees and outside vendors to keep patient data and connected devices secure.
Despite hospitals and health systems relying on employees to keep information secure, there has been a rise in internal data breaches. In January, Southfield Mich.-based Beaumont Health fired an employee for leaking the information of 1,182 patients. Last year, dozens of nurses and other staff members at Chicago-based Northwestern Memorial Hospital were fired for improperly viewing the medical records of actor Jussie Smollett after he claimed to have been assaulted.
On top of being the safeguards of patient information, clinicians and leaders must be cautious of the potential vulnerabilities that could be exploited in connected devices and patient care equipment. Six vulnerabilities were found in GE Healthcare devices, which, if exploited, could allow hackers to make the devices unusable or interfere with their functionality.
Lenny Levy, the former interim CISO of Renton, Wash.-based Providence St. Joseph Health and interim CISO for a large children's hospital is among the hospital leaders emphasizing the importance of quality care and patient safety when it comes to cybersecurity efforts.
"Ultimately, quality care and patient safety is paramount," he told Becker's Hospital Review. "While large data breaches dominate the news, cyberattacks that can impact patient safety are a bigger risk. While more conceptual that common, attacks that impact integrity of patient data or manipulate medical device settings/output can have a direct impact on patient safety."
With threats coming from in every direction, hospitals and health systems should take a holistic approach to prevent and mitigating cybersecurity incidents, Mr. Parker said.
"These attacks have caused significant impacts to patients, customers and citizens, and have demonstrated that cybersecurity cannot be just one or two levels of protection," he said. "Health systems need to take a holistic view of their entire network and also need the cooperation of leadership to help to globally address these issues."