Cyber-attack surfaces are increasing as many health systems expand care beyond the four walls of the hospital and are especially prevalent due to the focus on health organizations inside of the COVID-19 pandemic. While the current landscape of cloud computing, telehealth, virtual work, remote hosting and data sharing between caregivers is essential for helping to improve patient outcomes and keep populations safe, these innovations come with increased chances for bad actors to exploit vulnerabilities.
As we recognize Cybersecurity Awareness Month throughout October, we should all consider how we can do our part to better protect our patients, clinicians and health systems.
The dangers of ransomware
Prior to the pandemic, 55% of healthcare organizations had little to no confidence that their organization could mitigate the risk of ransomware. Now, that number has increased to 60%. These statistics point to a dire need for stronger cybersecurity efforts as ransomware is capable of making healthcare IT systems inoperable and removing data that’s critical to patient care. The potential impacts on patient care are longer hospital stays, treatment delays, complications from medical procedures or, in the worst-case scenarios, patient mortality. Even if an organization pays the ransomware for a malicious attack, there’s no guarantee that the stolen data or impacted systems will be recovered.
Effective cybersecurity postures are gaining momentum
Attacks will continue to become more sophisticated, so cybersecurity must keep pace or, better yet, get ahead. Many senior healthcare leaders are gaining a better understanding of the growing interconnectivity of devices, business partners and health systems. The industry is learning that cybersecurity is not the sole responsibility of the IT department ─ everyone must take an active role in protecting their organization against cyber-attacks. Senior healthcare leaders and boards of directors are beginning to prioritize cybersecurity. More and more, organizations are educating their staff about data protection and best practices to avoid phishing scams that launch malware. This is more important than ever as teams continue to work remotely.
Implementing an effective cybersecurity program can help mitigate the risks that healthcare organizations face. A comprehensive cybersecurity strategy must consist of a documented and tested incident response plan, including:
- Incident response phases
- Roles and responsibilities
- Response workflows for business partner engagement
- Response workflows for communications
- Response workflow for external parties, including:
- Outside counsel
- Third-party incident response firms
- Credit monitoring services
- Post incident lessons learned
- Knowledge of reporting procedures to federal agencies
- Cybersecurity insurance
Wisconsin recently passed a cybersecurity regulation that creates added measures for insurance companies to protect individuals’ personally identifiable information (PII) and protected health information (PHI). Only a few other states have passed a similar law; however, we could see this trend increase in the future. Healthcare leaders are encouraged to advocate for specific regulations that apply in their respective states.
There are additional proactive measures that healthcare organizations should take advantage of on a continuous basis, including maintaining knowledge of new and existing federal and state legislation, conducting an annual attack and penetration test of security controls with a third party, incorporating 24×7 monitoring by a security operations center and testing incident response plans through simulated attacks against the organization. Training and retention programs are also important initiatives to keep skills up-to-date and accurate.
Healthcare is making great progress with prioritizing cybersecurity, but we can do more. A robust cybersecurity program and strategy can help mitigate the risk to what’s most important in healthcare – patient care and outcomes. It’s not realistic to think we can stop all the bad actors, but we can establish strong parameters to keep them at bay.
Cerner cybersecurity aims to help improve the security posture of your organization, allowing you to focus on what matters most in healthcare – patient care and safety. Learn more here.
More like this: