By Patrick Ross, Associate Director, Federal Relations
As the U.S. health care system continues to adopt internet-connected care delivery systems, health care organizations (HCOs) are increasingly experiencing attacks from cybercriminals.
In the first half of 2022, there was a 70% increase in hacks and information breaches compared to the same period in 2021. In 2021, 66% of HCOs reported that they experienced a ransomware attack.
Federal agencies such as the Cybersecurity & Infrastructure Security Agency (CISA) and the FBI have urged renewed attention to preventing cybercrimes. These agencies are directing their efforts toward identifying cybersecurity vulnerabilities and developing resources to strengthen cybersecurity measures.
Cybersecurity Gaps & Patient Safety
There are multiple ways cyberhackers can threaten patient safety. The first is the loss of valuable information such as a patient’s:
- social security number
- payment information
- date of birth
- place of residence
- medical conditions
Hackers can sell such highly valued data, harming patient privacy and health care delivery.
Furthermore, cyberhackers disrupt HCO computer systems, delaying procedures or tests and leading to poor patient outcomes. Disruptions can also increase complications from medical procedures or prevent HCOs from accepting new patients.
It is critical that HCOs identify cybersecurity vulnerabilities and take precaution to prevent cyberattacks.
No Cost Resources
CISA offers numerous free resources to HCOs looking to strengthen their cybersecurity program. As an initial step, CISA provides a template as part of its Stop Ransomware guide that allows HCOs to create customized plans to respond to a ransomware attack in an effective, safe, and timely manner.
A comprehensive guide is also available as a collaboration of efforts between CISA and the Multi-State Information Sharing & Analysis Center (MS-ISAC). This guide provides cybersecurity prevention practices and a checklist to counsel HCOs through the necessary steps of preventing ransomware attacks.
CISA’s Pragmatic Cyber Security Webinar provides information about how facilities should prevent, manage and respond to any cyberattack. It emphasizes current practices that put facilities at cybersecurity risk, promotion of “stuff -off -search” to reduce internet attack surfaces, and tabletop exercises to develop and update policies and programs to strengthen cybersecurity protection.
CISA also offers tools and services to evaluate a HCO’s current cybersecurity practices:
- Ransomware Readiness Assessment CSET v10.3: Self-evaluation to determine individual readiness of different types of cybersecurity risks.
- Known Exploited Vulnerabilities Catalog: A routinely updated list of known software vulnerabilities being exploited by hackers.
- Cyber Hygiene Services: A CISA-guided service that performs vulnerability scanning, web application scanning and phishing campaign assessment. This service triages important vulnerabilities so that users know which gaps to address first.
Healthcare organizations should also remember the “human firewall,” a concept that dictates that humans are the weakest link in preventing cyberattacks. Staff should be provided with training to test their abilities to spot phishing emails, which can also give an organization’s IT security department an opportunity to correct common high-risk behaviors.
Patrick Ross is Association Director of Federal Relations at The Joint Commission.