Cybersecurity panel: Hospitals are making progress, but aren’t keeping pace with attackers

When it comes to hospitals and cybersecurity, health systems have gained greater proficiency in defending their organizations.

But health systems are facing greater threats from ransomware groups, and they still need to improve the security of their organizations, cybersecurity experts say.

Chief Healthcare Executive® recently held a panel discussion featuring three top experts on cybersecurity. In the latest episode from that conversation, they assessed the state of cybersecurity in hospitals, their capabilities and the hurdles that continue to threaten health systems.

The panel included Lee Kim, senior principal of cybersecurity and privacy at HIMSS; John Riggi, national advisor for cybersecurity and risk for the American Hospital Association; and Adam Zoller, the global chief information security officer for the Providence health system.

(Check out the video here. The story continues below.)

Kim said there’s a growing recognition that hospitals have to focus on cybersecurity. She says she has worked with providers who suffered breaches because they didn’t address some vulnerabilities, but hospitals understand the need to be as resilient as possible.

“Weak cybersecurity is no longer an option now,” Kim said.

Health systems have developed stronger capabilities and many have hired top cybersecurity pros. But she said some clinicians chafe against some cybersecurity measures, including upgrading some vulnerable, legacy systems.

Plus, some healthcare employees don’t pay attention to basic training, she said.

“We have adversaries coming at us,” Kim said. “We have people inside of our organization that are for whatever reason, sometimes not following training, and so they're clicking on phishing links and otherwise exposing us.”

Read more: Why hospitals struggle with cybersecurity: ‘We aren’t doing the basics’

Riggi said there are encouraging signs of improvement and engagement from hospital leaders, but efforts are falling short to match the threats of increasingly sophisticated attacks.

“If we really were keeping pace, we wouldn't see all of these attacks occurring in the first place,” Riggi said.

Again, he noted, it’s not a lack of will, and he’s seeing more interest from health system executives in reducing the risks of cyberattacks. He notes that he’s frequently speaking to hospital executives and their boards about cybersecurity.

Plus, hospitals and health systems are gaining experience in dealing with ransomware attacks.“It's like battle-tested troops,” Riggi said. “We've had a lot of experience, fortunately and unfortunately, dealing with these attacks.”

However, some hospitals and health systems have been struggling to invest as much as they’d like in cybersecurity, Riggi noted. Hospitals are generally faring better financially than they were a year or two ago, but many continue to face financial headwinds, industry analysts and healthcare leaders say.

“It's often a lack of resources, whether it's just human, financial or technical resources, especially for our under-resourced hospitals and health systems, our rural systems,” Riggi said.

• Read more: Change Healthcare cyberattack affected 100 million Americans

Providence, which operates 51 hospitals and 1,000 clinics, encounters ransomware attacks on a regular basis and has developed a robust cybersecurity program. Zoller also notes that there’s tremendous interest in Providence’s leadership in cybersecurity, and that level of engagement is invaluable.

“I'm in front of the board of directors once a quarter, talking about cybersecurity as a business risk,” Zoller said. “And part of that job is educating them on what's happening in the cybersecurity industry. What are the current and emerging threats? What are the things from an enterprise risk perspective they need to have on their radar?”

Zoller pointed out that as more hospitals and health systems come together through mergers and acquisitions, those integrations can increase the risks of damaging cyberattacks. As organizations get bigger and are merging computer systems, they face greater risks and a wider footprint that can be enticing for ransomware groups.

Plus, as systems get bigger, response times can slow down when a cyberattack occurs. If it takes hours for systems to close off compromised systems or for leaders to make decisions, the attackers are gaining a greater advantage, he said. Health systems must have detailed response plans so they can act as quickly as possible if a breach occurs.

“Complexity is the enemy of security,” Zoller said. “Lack of centralization and control is the enemy of security.”

Watch the full video for more important insights on the state of cybersecurity in hospitals and health systems.

If you’ve missed the previous installments in our series of cybersecurity videos, check them out for more insights and perspectives on cyberattacks in the hospital industry.

In last week’s installment, our panel looked at the risks hospitals face from attacks aimed at vendors and business partners.

In our first episode, our experts examined the scope of cyberattacks in healthcare.

Coming next Monday: Our cybersecurity panel outlines ways hospitals and health systems can improve their defenses.