Cyberattack: Not “if” but “when”

“An ER doctor is on the 26th hour of her 28 hour shift and she hastily clicks on a link which she thinks will take her to an update from a patient’s family. All of a sudden her monitor is red with a black skull and crossbones flashing and a message demanding payment immediately. She looks up and sees the same message on the other monitors across the ER. Doctors and patients are starting to notice. And the ER, which is always experiencing a low level of chaos, kicks up into high gear as doctors have to work with first responders to divert patients to nearby hospitals. This is the nighmare scenario which has become all too commonplace.”

                                                 Lauren Boas Hayes describing a fictional ransomware attack

Orlando, Fl — Cybersecurity has joined interoperability as a standing theme at the world’s biggest health information technology conference – demonstrating how modern technology has now become a major threat to healthcare in addition to being a transformative asset.

Long gone are the days when ransomware and other security issues were a hypothetical threat discussed in one of the more obscure rooms at the HIMSS (the Health Information and Management Systems Society) annual convention.  At this year’s conference, cybersecurity was the topic of a full-day pre-conference symposium and had its own Command Center in the exhibit hall with several dozen companies presenting a series of talks on a variety of security issues.

Cybersecurity was similarly featured at the new ViVE22 health technology and innovation conference held the week prior to HIMSS in Miami Beach.

The issue is not just preoccupying the healthcare community in the US. In Canada, HealthcareCAN and the CIO Strategy Council announced last week that they were launching a project to develop standards to support cyber resiliency. “It is no secret that Canadian healthcare and health research institutions have proven to be popular targets for cyber attacks and the frequency of these events is only increasing, which brings an increased risk to patient care,” said Paul-Émile Cloutier, President & CEO of HealthCareCAN in announcing the project.

Despite the resources being put into combatting security threats in hospitals and healthcare systems it is clear the problem is growing and experts note physicians and others working in these organizations are still not conscious of the problem and how they can inadvertently contribute to it.

At the HIMSS conference, the organization discussed results of its 2021 cybersecurity survey which showed phishing and ransomware were the most significant security incidents reported by all types of US healthcare organizations among the 167 responding organizations.

In a news conference, Lee Kim, director of privacy and security at HIMSS, said the issue is not “if” a healthcare organization will be subject to a cyberware attack but rather “when”. With phishing being a major cause of security breaches, Kim said it made sense for organizations to have requirements with “teeth” to make sure employees follow proper procedures when dealing with emails.

While hackers are hitting healthcare systems all the time, Kim said only 78% of healthcare organizations are implementing firewalls across the board and there is not nearly enough encryption of data occurring. Security is still not being adequately funded at many hospitals and other healthcare institutions, she added

At ViVE, Lauren Boes Hayes, senior advisor for technology and innovation at the Cybersecurity and Infrastructure Security Agency (CISA) gave a brief but comprehensive presentation on the scope of the cybersecurity threat in the US and basic measures physicians could take to counter it.

“The healthcare industry and first responders have felt the disruptive impact of cyber attacks more so than any other industry over the past couple of years as the scourge of ransomware attacks has plagued healthcare systems around the world,” she said.

Hayes said healthcare organizations are particularly prone to ransomware attacks because “up time is everything” and these institutions are mostly likely to pay a ransom to regain control of their systems.

She detailed three fundamental bad practices which CISA feels can impair security.

  • Using unsupported software
  • Using default passwords or common passwords
  • Using single factor authentication especially remotely

“Investing in the technologies and teams who can implement a secure technology architecture with appropriate network segmentation, device inventories and exhaustive backups are proven to prevent catastrophic loss in the event of a successful attack,” Hayes said.