One day in May in 2017, a Spanish telecommunications company reported a cyber incident. About the same time, many miles away in the U.K., the WannaCry virus had spread to a computer belonging to the National Health Service (NHS) and began exploiting their file-sharing network. Within hours, at least 16 organizations in the NHS were compromised. Ransom notes appeared with payment demands and deadlines. The attack spread to 45 organizations and 37 trusts, forcing hospitals to shut down their electronic systems and switch to paper, divert emergency care patients and cancel elective surgeries and appointments.
The final cost to NHS was more than $1.4 million. WannaCry spread to more than 150 countries, infected 600,000 computers and wormed its way into medical devices. Global costs reached $4 billion.
WannaCry and the Petya/NotPetya cyberattacks that followed were a wakeup call for the health care industry. Although malware has been menacing industries for decades, 2017 proved to be a record year for massive destructive cyberattacks. Not only were the attacks growing in sophistication, they also were becoming more virulent with the motivation shifting from a cyber criminal’s mere greed to a malevolent nation state’s deliberate goal to create mayhem.
Phishing attacks, malware and ransomware are at the top of Becker’s list of cybersecurity threats to health care organizations. Breaches are achieved through a brute force approach, where a bad actor repeatedly tries to guess a user name and password, or through human error, for instance with an email recipient clicking on an attachment.
We can’t eliminate all cyber risks, but we can help reduce the exposure to them.
Karl West, assistant vice president and the chief information security officer at Intermountain Healthcare in Utah, emphasizes the role of people in any robust cybersecurity program. He is a leading authority on cybersecurity and an ex-officio member of the board for the Association for Executives in Healthcare Information Security (AEHIS), which is affiliated with the College of Healthcare Information Management Executives (CHIME). In this post, I’ll share some of the lessons he and I discussed during a joint cybersecurity presentation that we conducted earlier this year.
Cybersecurity best practices for health care organizations
A hospital can have the best security system in place, but without proper staffing and a workforce that is educated in good cyber hygiene, it will fail. A health care organization should start by hiring a CISO, if they don’t already have one. Cyber criminals today are very sophisticated, and health care organizations need someone whose skills and knowledge are at least on par with those bad actors. Best-in-class cybersecurity programs also provide continuing education for staff about cybersecurity safety protocols.
Beyond people, a health care organization needs to have systems and processes in place to monitor, detect and prevent a cyber incursion. Robust cybersecurity programs have a protocol for responding to a breach and a recovery plan that mitigates the damage. They know what their assets are, where they are, who has access to them and how to respond, recover and return to normal operations.
Karl recommended conducting a data inventory and ensure it is accurate and up to date. His inventory list includes:
- Application name
- Application description
- Data classification
- Security review ID
- Business owner contact
- Technical owner contact
- Asset location
- Access: internal/external/both
- Contains PHI?
- Number of records/users
Once an organization knows what it has, how can it protect its digital assets? Leadership should assess the organization’s risk tolerance to determine proper controls. To detect and respond to cyberthreats, establish a security operations center; artificial intelligence can play an important role in this.
Health care organizations can take some fairly easy steps to thwart a cyberattack, too. They include the use of two-step verification to increase authentication security to ensure an entity is known. Requiring strong passwords can help against the brute force approach to hack into a system.
In health care, we often say it is not a case of if a cyberattack will occur, but when. Leadership should do everything possible now to be prepared for the inevitable.
For more cybersecurity insights, you’re welcome to participate in the CHIME Advocacy Summit in Washington, D.C. on Oct. 3-5. The summit will provide an in-depth overview of cybersecurity policies, challenges and strategies to combat cybercrime. For more information and to register, go here.
CHIME will also have a presence and will provide an update on the CHIME Opioid Task Force and policy efforts at the 2018 Cerner Health Conference (CHC) in Kansas City from Oct. 8-12. Register for CHC18 here.