Skip to main content
Skip to main navigation
Skip to footer

by Russ Branzell
Published on September 17, 2018

One day in May in 2017, a Spanish telecommunications company reported a cyber incident. About the same time, many miles away in the U.K., the WannaCry virus had spread to a computer belonging to the National Health Service (NHS) and began exploiting their file-sharing network. Within hours, at least 16 organizations in the NHS were compromised. Ransom notes appeared with payment demands and deadlines. The attack spread to 45 organizations and 37 trusts, forcing hospitals to shut down their electronic systems and switch to paper, divert emergency care patients and cancel elective surgeries and appointments.

The final cost to NHS was more than $1.4 million. WannaCry spread to more than 150 countries, infected 600,000 computers and wormed its way into medical devices. Global costs reached $4 billion.

WannaCry and the Petya/NotPetya cyberattacks that followed were a wakeup call for the health care industry. Although malware has been menacing industries for decades, 2017 proved to be a record year for massive destructive cyberattacks. Not only were the attacks growing in sophistication, they also were becoming more virulent with the motivation shifting from a cyber criminal’s mere greed to a malevolent nation state’s deliberate goal to create mayhem.

Phishing attacks, malware and ransomware are at the top of Becker’s list of cybersecurity threats to health care organizations. Breaches are achieved through a brute force approach, where a bad actor repeatedly tries to guess a user name and password, or through human error, for instance with an email recipient clicking on an attachment.

We can’t eliminate all cyber risks, but we can help reduce the exposure to them.

Karl West, assistant vice president and the chief information security officer at Intermountain Healthcare in Utah, emphasizes the role of people in any robust cybersecurity program. He is a leading authority on cybersecurity and an ex-officio member of the board for the Association for Executives in Healthcare Information Security (AEHIS), which is affiliated with the College of Healthcare Information Management Executives (CHIME). In this post, I’ll share some of the lessons he and I discussed during a joint cybersecurity presentation that we conducted earlier this year.

Cybersecurity best practices for health care organizations

A hospital can have the best security system in place, but without proper staffing and a workforce that is educated in good cyber hygiene, it will fail. A health care organization should start by hiring a CISO, if they don’t already have one. Cyber criminals today are very sophisticated, and health care organizations need someone whose skills and knowledge are at least on par with those bad actors. Best-in-class cybersecurity programs also provide continuing education for staff about cybersecurity safety protocols.

Beyond people, a health care organization needs to have systems and processes in place to monitor, detect and prevent a cyber incursion. Robust cybersecurity programs have a protocol for responding to a breach and a recovery plan that mitigates the damage. They know what their assets are, where they are, who has access to them and how to respond, recover and return to normal operations.

Karl recommended conducting a data inventory and ensure it is accurate and up to date. His inventory list includes:

  • Application name
  • Application description
  • Data classification
  • Security review ID
  • Business owner contact
  • Technical owner contact
  • Asset location
  • Access: internal/external/both
  • Contains PHI?
  • Number of records/users

Once an organization knows what it has, how can it protect its digital assets? Leadership should assess the organization’s risk tolerance to determine proper controls. To detect and respond to cyberthreats, establish a security operations center; artificial intelligence can play an important role in this.

Health care organizations can take some fairly easy steps to thwart a cyberattack, too. They include the use of two-step verification to increase authentication security to ensure an entity is known. Requiring strong passwords can help against the brute force approach to hack into a system.

In health care, we often say it is not a case of if a cyberattack will occur, but when. Leadership should do everything possible now to be prepared for the inevitable.

For more cybersecurity insights, you’re welcome to participate in the CHIME Advocacy Summit in Washington, D.C. on Oct. 3-5. The summit will provide an in-depth overview of cybersecurity policies, challenges and strategies to combat cybercrime. For more information and to register, go here.

CHIME will also have a presence and will provide an update on the CHIME Opioid Task Force and policy efforts at the 2018 Cerner Health Conference (CHC) in Kansas City from Oct. 8-12. Register for CHC18 here.

CEHRT and its MACRA and QPP Implications for Eligible Clinicians

by Josh Mast
October 18, 2018
As the concept of CEHRT expands, health care providers and clinicians need to ensure compliance for their organizations.

Smarter Care, ACO Strategies and Leveraging the Power of Digital Health | #CHC18 Day 5

by Cerner Corporation
October 11, 2018
The last full day of #CHC18 wrapped Wednesday evening with the annual Cerner Bash at Kansas City's Power & Light district. On Thursday, we had a half-day of education sessions covering topics from restructuring accountable care organization (ACO) strategies to transforming health care through digital innovation. Here are today's highlights.

Special Edition of The Cerner Podcast | Ep. 98: Thursday at #CHC18

by Cerner Corporation
October 11, 2018
In this special edition episode of The Cerner Podcast, we bring insights from the 2018 Cerner Health Conference in Kansas City, Missouri, where more than 12,000 attendees from across the country and the globe have come together to learn and network. Sit at the table with us as we have conversations with health care leaders, Cerner clients and industry influencers. We’ll be covering health IT trends and focusing on this year’s CHC theme of “Smarter Care.” In Thursday's episode, we hear from Michelle Rathman, rural health strategist and influencer. Since founding Impact! Communications in 1989, Michelle’s work has made her an invaluable voice among rural health advocates. We also welcome Emil Peters, president of Cerner Global. Emil shared how he's watched CHC evolve in his decade-spanning career with Cerner and talks about how the health care industry is changing – and how health care providers and IT organizations must change with it.

World Mental Health Day, Interoperability Advances, Rural Health Care Opportunities and More | #CHC18 Day 4

by Cerner Corporation
October 10, 2018
World Mental Health Day coincided with day four of #CHC18, giving us all a chance to reflect on how we can enhance mental health education, awareness and advocacy against stigma. Wednesday also kicked off with the final keynote that delved into the topics of the opioid crisis and the intersection of artificial intelligence and genome intelligence. With an array of power sessions, special interest group meetings and panels throughout the day, conference attendees had plenty of opportunities to learn, network and contribute to the push toward smarter care.