Keeping hospital data safe must become a top priority
May 08, 2018
By Brian Berger
In today’s worldwide network of complex interconnectedness and unprecedented vulnerability, how concerned should our health care organizations be about cyber threats?
According to news outlets across the country, the answer is: “VERY!” This network is challenged to find solutions for big problems. With the constant change in technologies and processes used throughout the organizations, it’s no surprise that this network is one of the most vulnerable to cyberattacks.
Throughout the world, health care organizations have fast become the leading targets for cybercriminals, with data breaches in recent years costing the health care industry $5.6 billion annually. Although under pressure to continuously consolidate systems in order to protect the confidentiality, availability, and integrity of patient and network data, evidence shows that many processes have gaps and vulnerabilities that ultimately serve as “hot spots” for malicious activity. While there are significant benefits to care delivery and organizational efficiency from the expanded use of networked technology, Internet-enabled medical devices and electronic databases for clinical, financial and administrative operations, exposure to potential cyberattacks increases. In addition, laws and regulations are ever-changing, and while tedious security measures provide a good platform to ensure the basic protection of the infrastructure, it is no longer enough to prevent breaches.
The need to cure patients and protect the entire IT landscape is no easy undertaking. Massive amounts of personal identifiable information is spread throughout the network. Many institutes and clinics in the health care industry got an upgrade to the managing and safeguarding of vital IoT devices and connections (heart monitors, pumps, laptops, etc.). Now, more than ever, there is a need to balance the desire for interoperable devices with increased cybersecurity against the most common attacks, like phishing and ransomware.
Many health care organizations have fallen victim to ransomware, a form of malware that targets human and technical weaknesses to deny access to critical data and systems and is frequently distributed through emails and links. Some of the hospitals that have fallen victim to this type of attack include Hollywood Presbyterian Medical Center, Methodist Hospital in Henderson, Kentucky, MedStart Health and Kansas Heart Hospital. The remediations alone have cost these organizations millions of dollars in damages.
Best practices
To effectively create a better cyber posture for health care organizations, there is a need for integrative capacity, scalability and real-time assessment capabilities. With the increasing incidence of cyberattacks, these organizations will need to designate a higher level of IT spending to mitigate the compounding risks. According to technology research leader Gartner, in a story in CSO, “cybersecurity spending could exceed $1 trillion from 2017 to 2021.” Health care executives must leverage their financial resources to best position their organizations to defend against cyber threats.
Understanding best practices in developing effective cybersecurity measures is a strategic approach to delivering on this agenda.
Consider the following cybersecurity functions and suggested controls:
• Identify, protect, detect, respond and recover.
• Comprehend the threats facing the health organization, including ransomware and phishing.
• Identify the critical assets and proprietary knowledge, including personal identifiable information.
• Understand the strengths and weaknesses of current cybersecurity arrangements.
• Awareness raised and training needed for employees about proper computer posture.
• Develop a cybersecurity roadmap with a plan to remediate in the wake of an attack.
On the last point, relative to developing a cybersecurity plan, health care executives, in coordination with their IT departments and vendor partners, should focus on several important actions, including:
• Ensuring that all hospital technology has the latest security software, web browser and OS.
• Creating a mobile device action plan.
• Protecting Internet connections by using a firewall and encrypting information.
• Controlling physical access to computers and network components with complex passwords.
With the range of cyber threats constantly changing, health care organizations need to be even more vigilant in their approach to mitigating cyber risks and strengthening their security profile. Health care professionals can benefit from the insight and expertise of a trusted IT solution team to assist them in navigating the complexities of the cybersecurity world.
About the author: Brian Berger is the executive vice president of commercial cybersecurity for Cytellix, responsible for 24/7 system management and business operations, as well as marketing, development, sales and engineering support of the cyber team and its solutions. With more than 28 years of experience in device security, IT, data analytics and corporate leadership, Berger has led the successful development of strategic engagement agreements with multibillion-dollar cloud service providers, securing significant contracts in data encryption, authentication, network security, cloud, analytics and embedded hardware security.
In today’s worldwide network of complex interconnectedness and unprecedented vulnerability, how concerned should our health care organizations be about cyber threats?
According to news outlets across the country, the answer is: “VERY!” This network is challenged to find solutions for big problems. With the constant change in technologies and processes used throughout the organizations, it’s no surprise that this network is one of the most vulnerable to cyberattacks.
Throughout the world, health care organizations have fast become the leading targets for cybercriminals, with data breaches in recent years costing the health care industry $5.6 billion annually. Although under pressure to continuously consolidate systems in order to protect the confidentiality, availability, and integrity of patient and network data, evidence shows that many processes have gaps and vulnerabilities that ultimately serve as “hot spots” for malicious activity. While there are significant benefits to care delivery and organizational efficiency from the expanded use of networked technology, Internet-enabled medical devices and electronic databases for clinical, financial and administrative operations, exposure to potential cyberattacks increases. In addition, laws and regulations are ever-changing, and while tedious security measures provide a good platform to ensure the basic protection of the infrastructure, it is no longer enough to prevent breaches.
The need to cure patients and protect the entire IT landscape is no easy undertaking. Massive amounts of personal identifiable information is spread throughout the network. Many institutes and clinics in the health care industry got an upgrade to the managing and safeguarding of vital IoT devices and connections (heart monitors, pumps, laptops, etc.). Now, more than ever, there is a need to balance the desire for interoperable devices with increased cybersecurity against the most common attacks, like phishing and ransomware.
Many health care organizations have fallen victim to ransomware, a form of malware that targets human and technical weaknesses to deny access to critical data and systems and is frequently distributed through emails and links. Some of the hospitals that have fallen victim to this type of attack include Hollywood Presbyterian Medical Center, Methodist Hospital in Henderson, Kentucky, MedStart Health and Kansas Heart Hospital. The remediations alone have cost these organizations millions of dollars in damages.
Best practices
To effectively create a better cyber posture for health care organizations, there is a need for integrative capacity, scalability and real-time assessment capabilities. With the increasing incidence of cyberattacks, these organizations will need to designate a higher level of IT spending to mitigate the compounding risks. According to technology research leader Gartner, in a story in CSO, “cybersecurity spending could exceed $1 trillion from 2017 to 2021.” Health care executives must leverage their financial resources to best position their organizations to defend against cyber threats.
Understanding best practices in developing effective cybersecurity measures is a strategic approach to delivering on this agenda.
Consider the following cybersecurity functions and suggested controls:
• Identify, protect, detect, respond and recover.
• Comprehend the threats facing the health organization, including ransomware and phishing.
• Identify the critical assets and proprietary knowledge, including personal identifiable information.
• Understand the strengths and weaknesses of current cybersecurity arrangements.
• Awareness raised and training needed for employees about proper computer posture.
• Develop a cybersecurity roadmap with a plan to remediate in the wake of an attack.
On the last point, relative to developing a cybersecurity plan, health care executives, in coordination with their IT departments and vendor partners, should focus on several important actions, including:
• Ensuring that all hospital technology has the latest security software, web browser and OS.
• Creating a mobile device action plan.
• Protecting Internet connections by using a firewall and encrypting information.
• Controlling physical access to computers and network components with complex passwords.
With the range of cyber threats constantly changing, health care organizations need to be even more vigilant in their approach to mitigating cyber risks and strengthening their security profile. Health care professionals can benefit from the insight and expertise of a trusted IT solution team to assist them in navigating the complexities of the cybersecurity world.
Brian Berger