Cybersecurity and hospitals: Looming threats, vulnerabilities and what can be done

Cyber attacks are on the rise and smaller hospital systems could become targets. The chief technology officer of [redacted], a cloud security firm, outlines how hospitals can bolster their defenses.

Hospitals are facing more dangerous cybersecurity threats and healthcare systems of all sizes need to develop response plans.

Hackers aren’t just targeting larger hospital systems, said Matt Georgy, chief technology officer of [redacted], a cloud security company based in San Francisco. (To avoid confusion, “[redacted]” is the firm’s name; it's not being omitted.) Increasingly, smaller hospital systems are likely targets, he said.

The American Hospital Association has tapped [redacted] for cybersecurity incident response services. The firm will be assisting the association’s member hospitals in addressing cybersecurity issues and assessing risk.

Hospitals are seeing more attacks on cybersecurity systems. Since the beginning of the year, more than 500 hospital systems and healthcare organizations have reported cybersecurity incidents affecting at least 500 people, according to the U.S. Department of Health and Human Services. This week, federal authorities warned attackers backed by the Iranian government are targeting healthcare systems and other vital areas.

There’s a growing recognition among hospital leaders about the need to boost their defenses and prepare for cyber attacks.

“If they did not have an appreciation for it six months ago, they have an appreciation today,” Georgy said.

Georgy spoke with Chief Healthcare Executive about steps hospitals should take, whether ransom should be paid and looming threats to come.

Security teams are critical

Georgy said he recommends hospitals of all sizes create some kind of security team.

If smaller hospitals lack the staff to do it themselves, they should contract with a private company.

A cybersecurity team “is akin to an insurance policy,” he said.

Ransomware on the rise

Businesses have been hit with cyberattacks hurting vital systems combined with ransom demands to restore services. Hospitals are no exception.

“Over the last 18 months, we have seen the rise of ransomware, specifically targeting hospitals,” Georgy said.

Hospitals are more vulnerable than some other businesses, which likely have backup records and can afford to be down for a while. Hospitals don’t really have that option. Some cyberattacks have impeded patient care.

“We’ve seen where large hospitals were not able to provide care,” Georgy said.

The Healthcare Information and Management Systems Society (HIMSS) surveyed technology professionals last year, and 28% reported a disruption of emergency services, while 17% said elective surgeries had to be canceled.

Don’t pay ransom

It may be tempting for hospitals to pay a ransom demand. Georgy said it’s a mistake.

“Under no circumstances should a ransom be paid,” he said. And he noted that’s the firm’s policy.

Hospitals shouldn’t pay because it could expose them to other attacks and there’s no guarantee their systems will be fully restored, he said. Plus, it simply encourages other attacks.

“Ultimately, you’re just feeding into this ecosystem," he said.

Blackmail

A growing trend is hackers blackmailing companies and threatening the exposure of private information.

“One of the trends we’re seeing, not specifically to hospitals, but it may come around, is blackmail,” Georgy said. The loss of patient records would be catastrophic.

“Hospitals can get ahead of this so they aren’t extorted for patient records,” he said.

Smaller hospitals must be wary

There’s been growing chatter underground about efforts targeting hospitals, Georgy said. And he said attackers may realize targeting larger hospitals with bigger cybersecurity defenses may not be the best way to go.

Unfortunately, smaller hospitals with fewer staff and resources for cybersecurity are going to prove to be tempting targets.

“It’s not going to take a lot of time for malicious actors to realize targeting smaller hospitals is more profitable to them,” Georgy said.

Common-sense solutions

Hospital systems can go a long way toward deterring attacks with relatively simple steps. Part of it involves a commitment to training staff and getting all employees to take cybersecurity seriously.

“If every company using a computer just applied common-sense security practices, you’d see a significant decline in attacks,” he said.

Using two-factor authentication to access systems “is absolutely essential,” he said.

“Even busy doctors can apply multi-factor authentication very successfully with minimal impact,” he said.

Companies need password policies, instructing employees to change passwords frequently and use passwords which can’t be easily guessed.

Training

Healthcare organizations must get their employees to take cybersecurity seriously. They need training on best practices.

"Insist on training for all of its staff, not only at time of employment, but annually at a minimum,” he said. Georgy recommended two training sessions a year, even if they are only 15 minutes.

Plans and practice

Hospitals need to come up with response plans for cybersecurity attacks. The plans need to include the procedures for contacting local and federal authorities, legal counsel, their public relations and the media.

Those plans need to be practiced.

“We always recommend to every one of our clients that they conduct a tabletop cybersecurity exercise,” Georgy said. Top leaders should participate in those drills.

“You always want to have that response plan, so you know who you’re going to call,” he said.

Something to watch: Congress is considering legislation that would require mandatory reporting of cyber attacks within a short time. A Senate bill with bipartisan backing would require federal agencies and critical infrastructure operators to report attacks within 24 hours.

Other measures have different time frames, but lawmakers are looking at mandatory reporting requirements.