The health care industry is falling prey to cyber criminals intent on stealing patient data. Medical records are rich in lucrative patient information making hospitals prime targets for ransomware attacks similar to the massive WannaCry attack that hit Windows users last year and shut down hospitals across the UK. We spoke with Dr. Chantal Worzala last year, vice president of health information and policy operations at the American Hospital Association, to learn more about what health care organizations can do to protect themselves and their patients from cyber threats.
Who exactly is attacking hospitals and why? What makes hospitals a prime target for ransomware attacks?
The health care sector is being hit by the same bad actors as other sectors—criminals with various motivations. Some are looking for financial gain, such as those conducting ransomware attacks or looking to steal data; others are interested in obtaining intellectual property. And, of course, we see nation-states involved in cyber espionage that also see value in health care data. It is important to recognize that all sectors are being hit with cyber attacks. In fact, the FBI estimates that over 4,000 ransomware attacks occur daily. Other sectors may be less likely to publicly report attacks, given variations in breach notification requirements.
What should hospitals be doing to improve their defenses against cyber attacks? How many are actually doing it?
Hospital and health system leaders recognize that data held by health care organizations is highly sensitive, as well as valuable, and are taking cybersecurity challenges extremely seriously. The vast majority of hospitals are already taking many important security steps while they continue to build out their capabilities.
For instance, more than 80 percent of hospitals have implemented intrusion detection systems; similarly, 80 percent also use encryption on their wireless networks, mobile devices, and removable media. Moreover, more than 90 percent of hospitals require the use of strong passwords, require passcodes on mobile devices, encrypt laptops and/or workstations, at least annually perform a risk analysis to identify compliance gaps and security vulnerabilities, and at least annually undergo an infrastructure security assessment.
To learn more about what hospitals are doing to secure systems, we have a one-page factsheet that shows how hospitals are implementing cybersecurity measures.
Are there any positive case studies you can share of hospitals using best practices to improve their medical device security?
We hear from hospitals and health systems that medical devices are a weak link in their security infrastructure. Many devices contain security weaknesses and do not have embedded tools that provide security controls. Several hospitals and health systems have been leading the way in how to work with medical device manufacturers to address this issue. Increasingly, they include security requirements in their procurement decisions. The AHA recently showcased the work of Mayo Clinic in this regard.
What are the biggest challenges hospitals face in their efforts to beef up their cybersecurity?
Hospitals and health systems face a number of challenges. First and foremost, they must balance security of their information with access to it. Many individuals legitimately need to access health records to ensure good care and take care of administrative issues. So, data cannot simply be locked down. In addition, there are significant resource constraints in health care, as well as shortages of security professionals. Hospitals and health systems also need better, actionable information about cyber threats and cooperation from their many vendors and partners, including medical device companies.
What is the single most important thing healthcare providers can do to improve their medical device security?
We encourage all hospitals and health systems to take a risk management approach to cybersecurity. That applies to medical devices, as well as overall health information security.
The Archimedes Medical Device Security 101 Conference takes place January 21-22, 2019 in Orlando, Florida. Register today for your opportunity to learn from the industry’s leading security researchers and practitioners.