Cybersecurity in Hospitals: Prevention as a Defense From Attacks
Do healthcare organizations have effective cybersecurity strategies to defend against these attacks?
Hospitals, like most modern organizations, increasingly rely upon information systems for a wide variety of administrative and clinical functions. These are highly complex organizations in terms of processes, which can have constant activity 24/7×365. Likewise, we must keep in mind that most of the equipment and diagnostics technologies used in medicine have highly computerized components. This entire network of devices, equipment and systems that often require connection to external systems, is a very critical and complex environment to control.
On top of the enormous organizational complexity, the need for dispersed systems that need to connect with each other and the extensive network of computerized medical equipment, we must add what is perhaps one of the most valuable pieces for a cybercriminal: clinical patient data.
If a cyber attacks such as the recent WannaCry attack have serious financial and reputational consequences for companies from all sectors, an attack of this kind on a healthcare organization poses incalculable risks to the care and safety of patients.
The theft of clinical information leads to various criminal threats ranging from the use of stolen information for administrative fraud and the illicit use of drugs, to the sale of data files to other cybercriminals. It is important to remember that clinical patient information is highly sensitive and its theft and/or misuse has serious consequences for the patient’s own safety or even their insurance eligibility, impacting on their finances (expensive procedures performed on a third party fraudulently using their identity and medical insurance), etc.
What are the risks of poor cybersecurity management in healthcare?
A recent study conducted in the United States by HIMSS(1) (1), based on a survey of more than 150 hospitals, concluded that the main motivations behind cyberattacks on hospitals are medical identity theft, theft and sale of stolen hospital information on the black market, and even unauthorized access and theft of patient information. However, the consequences of a cyberattack on a hospital are not limited to the theft or breach of medical information, but also involve other risks associated with the clinical and operational practice of these organizations.
Hospitals need to adopt serious, strategic and structural measures to defend their infrastructure and electronic protected health information from attacks, since a fall or unavailability of technologies and equipment can result in serious threats to the operational continuity of the organization and, consequently, to the timely quality care of patients.
Recent ransomwareattacks within the hospital industry have demonstrated the risk that hospitals are exposed to when malicious codes succeed in blocking or encrypting information from key operational systems, such as the Electronic Health Record, where all the patient information resides.
These ransomware attacks can be catastrophic for a hospital; not only because of operational disruption or blocked access to essential patient information, but also because of the financial costs involved in restoring systems and backup copies, as well as the damage to reputation that the hospital under attack may suffer as a result.
VP Healthcare everis Americas
Therefore, it is becoming increasingly essential for healthcare organizations to make a firm commitment to cybersecurity and ask themselves if the information systems they are using are sufficiently secure. Proper management of health information security is an essential and proactive element that involves the implementation of various organizational and technical measures in several key areas, including legal, regulatory, technological and educational, to mention the most important ones.
Strategic investment in infrastructure as a preventive element
Cybersecurity issues should not slow down the unstoppable and necessary hospital digitalization process. On the contrary, the best way to control and protect patient information and critical infrastructures is by using existing tools and technologies that can block non-authorized accesses, block viruses and various attacks, record each and every access to protected information, and control other vulnerable areas inherent to technological evolution, such as the so-called Internet of Things.
It would be absurd to deprive our population of scientific and technological advances in medicine and in the healthcare sector, since it is part of the personal well being of each citizen and of society as a whole. The focus should be on putting cybersecurity at the top of the agendas of the executives of the sector. Unfortunately, oftentimes we react to catastrophic events and we lack continuity and strategic vision, when computer security should be part of the agenda of the Digital Transformation of hospitals.
Cybersecurity and the Cloud
The implementation of reliable systems that meet the minimum requirements of availability and security requires significant investments in hardware infrastructure, software and technical personnel. Even though it is essential, not all hospitals have the capacity to assume the costs and implementation times that this infrastructure requires. This is why one of the most widely used options today is the implementation of cloud-based solutions, which reduces costs and offers a greater return on investment.
The use of cloud computing and, more specifically, SaaS solutions (such as the ehCOS Electronic Health Record),, offers numerous advantages but, yet causes reticence and raises concerns in healthcare organizations.The key to a successful transition to the cloud, dispelling these concerns, is to correctly implement data security measure before even considering cloud deployment. Therefore, it is important to implement encryption mechanisms to adequately protect the stored information from unauthorized access.
We cannot continue to turn our backs to technical progress and we must be aware that the healthcare sector and the hospital sector are especially sensitive due to their characteristics and particularities. Cybersecurity must be taken very seriously and approached with honesty and strategic vision. The lack of specialized human resources and the lack of financial resources can be barriers or difficulties to tackling this problem, but many of the vulnerabilities can be controlled with proper situation analysis and strategic approaches to the cybersecurity challenges in our hospitals.
(1) HIMSS, (2017). Healthcare and Cross-Sector Cybersecurity Report (Vol. 14)