Over the past year, ransomware has dominated the cybersecurity scene.
Kaspersky Lab, a Woburn, Mass.-based cybersecurity company, named ransomware the key security topic of 2016; moving into 2017, a survey by Boston-based cybersecurity company Barkly found IT professionals rank ransomware as their number one security concern. This worry is especially pressing for the healthcare industry, with some reports finding hospitals are hit with up to 88 percent of all ransomware attacks.
Jack Danahy, cofounder and chief technology officer of Barkly, spoke with Becker's Hospital Review about why hospitals need to remain vigilant, what steps CIOs can take to reduce their facility's vulnerabilities and how information security has changed since he entered the industry in the 1980s.
Question: What is the number one piece of advice you would give to a hospital looking to reduce its vulnerability to ransomware?
Jack Danahy: It's not all about protected health information. There's a lot more that goes on in the modern hospital that you have to worry about beyond whether patient information has been adequately protected.
Admittedly, when hospitals focus on PHI and compliance, they're prioritizing around a sense of urgency because of HIPAA, and because of their own sense of personal responsibility. But as we've seen in some of these attacks, the outcome is not to steal a patient's information — in the case of ransomware, it's to scramble it up. And sometimes it's to scramble the system that it's running on, rather than the data itself, to preclude that hospital from offering its services at all.
Those are issues that aren't going to be addressed if all a hospital is doing is focusing on PHI and the required safeguards described in HIPAA. The first recommendation I'd give to them, then, is to think beyond the protection of the private data. It's not that PHI isn't important, but it's not everything.
Q: What are some of the main challenges hospitals face when implementing cybersecurity programs?
JD: Inertia is a problem. The provision of healthcare is time-honored, and when we begin to change the way that we expect doctors, nurses, specialists and technicians to provide care, there's going to naturally be some pushback or resistance.
A lot of the people who are incredibly important in healthcare are the people who have dealt with paper-based patient records for many, many years, and who are very proficient in it. And now, in the past 10 or 15 years, they've been asked to move to an entirely different system. I think hospitals should be sensitive to the fact that a really great employee, with 20 years of experience, is still going to be really great, even after their job transforms. They just need to be given some additional support, and then they can continue to be the excellent contributors that they were before the Internet rolled on in.
Q: What do you see as a key area for growth in the cybersecurity industry for healthcare?
JD: There's a lot that's being done in raising awareness of the impact of security on devices that exist inside the Internet of Things. I think we'll see advancement over the next couple of years, both in terms of the manufacturers ensuring those devices are more secure, and on the part of the security teams; making sure that the way in which those devices are attached, where they're attached and what they're used for is better understood.
The question security teams can ask is, "how do you protect people?" That's always been my focus. It's not so much "how do systems get broken into?" so much as "how do you make systems stronger?" A lot of what ended up happening in the early days of the Internet, the late '90s and the early 2000s, were really smart security folks trying to get one step ahead of the attackers, trying to figure out how they're going to try to break in next and how to recognize that a system is being broken into. Looking forward, the most important emphasis is how to keep those break-ins from happening in the first place.