As we conclude our series on cybersecurity in healthcare, several experts offer advice on protecting systems and patients.
With more healthcare organizations suffering cyberattacks, experts say hospitals leaders and employees must understand the scope of the threat and what they can do to prevent breaches or minimize the damage.
This week, Chief Healthcare Executive has published a series of stories about cyberattacks in healthcare. In addition to outlining the dangers, experts also talked about steps health systems can take to improve the safety of their systems and their patients.
Even smaller systems that don’t have the resources of larger hospitals can do a great deal to strengthen their cybersecurity.
Cybersecurity experts stress education is a key ingredient in bolstering cybersecurity, and it’s one every hospital can take.
It starts with simple steps such as making sure people aren’t clicking on external emails that are suspicious or unfamiliar, said Lee Kim, director of privacy and security at the Healthcare Information and Management Systems Society (HIMSS).
“If you see an email that doesn’t look right, don’t be curious,” Kim said. “Pick up the phone. Speak to IT. Don’t respond to the suspicious email.”
Kevin Tambascio, manager of cybersecurity for the Cleveland Clinic, said, “It really is a lot of times about the basics.”
Organizations need to ensure all employees take cybersecurity seriously, said Linda Stevenson, chief information officer of the Fisher-Titus health system in Ohio.
“My belief is cybersecurity is everybody's responsibility,” Stevenson said.
As systems aim to improve their cybersecurity, leaders need to get doctors and nurses involved, so they can offer input and guidance.
“I don’t think we should do anything in an organization without clinicians being on our side,” Stevenson said.
Fisher-Titus, a relatively small system about 60 miles from Cleveland, managed to boost cybersecurity defenses without adding staff. Stevenson offers some tips for smaller systems in this video. (The story continues after the video.)
Link efforts to patient safety
Hospital employees need to think about cybersecurity in terms of harming patients, said John Riggi, the top cybersecurity adviser at the American Hospital Association.
If a health system suffers a breach, ambulances could be diverted. If the attack affects electronic health records, hospitals could be forced to delay surgeries or cancer treatments.
“Cyber hygiene is as important as medical hygiene to protect the patient,” he said.
Develop clear policies
Employees need to understand the organization’s cybersecurity policies. They need to be accessible and in clear language.
Experts like Kim also said policies need some teeth. If certain employees consistently click on suspicious emails, they could be directed to have additional training or, if feasible, lose access to the system for a day.
“When policies and procedures have teeth to them, that’s when people listen,” Kim said.
Understanding business email compromise
Ransomware attacks are devastating to healthcare systems, but hospitals are more likely to be damaged by business email compromise scams.
In these scams, employees receive an email from what appears to be a source they know, such as a vendor or even someone posing as a fellow worker. Attacks launched from these scams can be very costly, says Crane Hassold, director of threat intelligence for Abnormal Security, a cybersecurity firm.
“As much as we hear about ransomware in the news, business email compromise from a financial impact perspective dwarfs every other cybercrime out there,” Hassold said.
Install basic defenses
At the HIMSS 2022 Global Health Conference last month, Kim expressed some astonishment that some healthcare organizations haven’t implemented basic defenses.
More than one in five (22%) healthcare cybersecurity professionals said they don’t have anti-virus software across the entire enterprise, while only 50% have implemented encryption for data in transit throughout their systems, according to a recent HIMSS survey.
“We don’t have everyone implementing anti-virus across the board,” Kim said.
“We don't have nearly enough encryption.”
Healthcare systems can also reduce risk by employing multi-factor authentication to access systems, Riggi says. With this step, employees would have to enter a password and take one other step, such as entering a code received via a text message, to access a system.
Get an assessment
If hospitals aren’t sure about the strength of their cybersecurity, experts say an evaluation from a cybersecurity firm is a good step.
Shortly after taking her role as CIO at Fisher-Titus, Stevenson tapped a firm to provide an assessment of the health system’s cybersecurity. The firm exposed vulnerabilities.
If a health system wants to improve, Stevenson suggested a first step is “a really strong risk assessment.”
“I recommend an outside company to start with because you get an independent look at things versus what your people know,” she said.
Healthcare systems need to identify where they are vulnerable to attack.
If organizations have had a cyberattack, they need to look at their vulnerabilities and patch those defenses.
Sometimes, that isn’t happening.
“I personally know of entities that unfortunately have been hit by the same incident multiple times over because they don’t take a step back and look at what they can do better,” Kim said.
Hospitals need to have emergency response plans in place for when they are hit by a cyberattack. They need to spell out clearly defined roles of leaders.
“We need to plan for the what-ifs and have the resources on speed dial in case it’s ever a problem,” Kim said.
Healthcare leaders need to plan for the worst possible scenarios, said Tambascio of the Cleveland Clinic. “Who is going to take charge in a ransomware situation?” he said.
Another question leaders need to answer, Tambascio said, is, “What if it’s at 3 in the morning on Saturday?”
Healthcare information officers should compile an asset inventory covering all hardware and software, Tambascio said.
Hospitals need multiple encrypted copies of data backups, including at least one copy that can’t be changed, says Riggi.
Hospitals must develop robust plans to continue caring for patients when a cyberattack happens, says Christian Dameff, an emergency physician and assistant professor of emergency medicine at University of California San Diego. Dameff has studied cybersecurity extensively and testified before Congress on cybersecurity issues.
Hospitals need to identify all the patients who would be affected by a breach affecting electronic health records systems, he said. Some hospitals have delayed surgical procedures and other treatments due to breaches.
Healthcare organizations need to think about patients receiving treatments for cancer and dialysis, he says.
“What’s your plan for offering dialysis to hundreds of patients three days a week? That’s what we have to figure out ahead of time,” Dameff said.
Hospitals also need to develop contingency plans for contacting thousands of patients, he said.
Check with vendors
Hospitals rely on a host of partners with access to patient data. Healthcare organizations need to be talking to their vendors about their security and what is being done to protect private health information.
When negotiating contracts with partners, healthcare organizations should be asking tough questions about their cybersecurity defenses. Tambascio said organizations should ask vendors: “Did they bake security into the project from the start?”
Some hospitals are at risk of breaches due to their partners, says Riggi.
Talk with peers
Hospitals need to be talking more regularly with other healthcare organizations about cybersecurity. They should be sharing information about threats and best practices.
Kim stressed the importance of hospitals talking to other providers, as well as companies in other sectors.
“Nothing will replace peer to peer human intelligence,” Kim said.
If hospitals aren’t talking to others outside of organization, “They will truly have tunnel vision when it comes to cyber. They won’t learn. They won’t grow.”
Part of that planning should also involve emergency response. If one hospital or system is hit, other healthcare providers are going to be affected, because they may see an influx of patients if ambulances are diverted or procedures have to be postponed.
Take advantage of help
The Cybersecurity and Infrastructure Security Agency, a division of the U.S. Department of Homeland Security, provides a wealth of resources for healthcare providers - and other companies - at no cost. CISA offers training events and risk assessments.
CISA’s free resources can be very helpful, Kim says.
Healthcare organizations also should consider joining InfraGard, a partnership with the FBI and the private sector focused on protecting critical infrastructure. InfraGard shares information on threats and offers workshops and intelligence bulletins.