Cybersecurity panel: How hospitals can protect their patients and their systems

Hospitals and health systems are facing more threats from cyberattacks, and ransomware groups are employing more sophisticated attacks.

But health systems can take steps to protect their patients and their systems.

Chief Healthcare Executive® convened a panel of cybersecurity experts to discuss cyberattacks aimed at hospitals. Over the past month, we’ve presented a series of stories and videos from our conversation.

In this final installment in our series, our experts talk about the ways that hospitals and health systems can improve their cybersecurity.

The panel included John Riggi, national advisor for cybersecurity and risk for the American Hospital Association; Adam Zoller, the global chief information security officer for the Providence health system; and Lee Kim, senior principal of cybersecurity and privacy at HIMSS.

(Watch the conversation in this video. The story continues below.)

‘Failures in the basics’

Hospitals need robust cybersecurity programs, but many organizations are vulnerable to breaches because they aren’t succeeding in fundamentals.

“What I see really working for hospital systems is focusing and doubling down on the basics,” Zoller says. “The failures in the basics, I should say, are what lead to breaches.”

Some of those basics include multi-factor authentication, where users must enter a password and take a second step such as entering a code sent to an app. Kim says multi-factor authentication should be used for all critical systems.

Health systems also should require passwords to be changed periodically.

“It's highly, highly effective at defeating a lot of the attacks that you're going to face,” Zoller says.

• Read more: Healthcare data breaches remain most expensive of any industry

Health systems also need to ensure that technology that sweeps for vulnerabilities is installed on all systems, and security teams must be empowered to act on potential vulnerabilities in a timely fashion.

Security teams also need to patch those vulnerabilities quickly.

“These basics have worked for a very long time, and if you're doubling down on those things and doing those things well, you're going to thwart the majority of attacks that you face,” Zoller says.

‘We start at a disadvantage’

Health systems must be cognizant of all the potential risks to their systems, including breaches involving their business partners, and work with vendors to mitigate those risks.

Riggi says many healthcare leaders were caught off-guard by the Change Healthcare cyberattack and never expected such disruptions from a company so widely used in healthcare. The Change Healthcare attack affected 100 million Americans.

Health systems also face the competing challenges of protecting their organizations while openly sharing data across the healthcare ecosystem.

“We start at a disadvantage, in that sense, that we have to make technology available to save lives, of course which is job one, and also, the government requires us to share information broadly with other providers on the continuum of clinical care,” Riggi says. “So, by nature, to improve patient outcomes, the government wants us to share information broadly and widely with other healthcare providers as well.”

Zoller, who has experience in the defense and financial sectors, says hospitals face unique challenges in defending against cyberattacks.

“I'm a firm believer that the healthcare sector is the most complex sector and the most difficult sector to defend, just because of, as we talked about before, our high reliance on third parties to do basic business functions, but then also the complexities of care delivery,” Zoller says.

Hospitals and health systems must recognize the complexity of the threats they face, and they need to be mindful of the latest federal reports on threat intelligence. Riggi also says the government needs to provide more timely updates on the latest threats.

Many attacks come from groups that have the backing, or at least tolerance, of nation-states, Riggi says.

“Russia provides safe harbor for the majority of ransomware groups that are attacking U.S. hospitals and health systems,” he says.

Need to band together

Given the gravity and complexity of cyberattacks, Kim calls for greater cooperation among hospitals and health systems. Healthcare organizations should be talking more often about the threats they’re seeing and alert others in their region about potential problems.

“I really think that we need to do more of that in terms of information sharing as a group,” Kim says.

“We all need to have regular pow-wows about what is going on,” Kim continues. “Yes, we all need to be viable and essentially further our own brand and economics, but we'll be on a sinking ship unless we band together, because all of us are vital to national security and the welfare of our people.”

Kim also suggested the need for more training of hospital legal teams about cybersecurity issues, including the need to consider protections in negotiating contracts with business partners.

“Sometimes attorneys are not necessarily well informed in terms of the threat landscape, in terms of how the technology necessarily works,” Kim said. “So I think that we need to do more education from the cybersecurity perspective.”

And Kim also points out the risks go beyond financial losses and a system’s reputation.

“We're talking about someone's life on the line,” Kim says. “Even one life that is put in jeopardy due to a cyberattack or other event is, frankly, too many. So that's why, in terms of looking out for people, looking out for humanity, we do need to band together.”

Hospitals need to focus on their defenses, but they also need to have plans for when they face cyberattacks, Riggi says.

“Plan for when that attack occurs,” he says.

Health systems need to have plans for providing care without technologies they have come to rely on everyday. As he said, systems must have ways to deliver radiation oncology without a linear accelerator that needs an internet connection to work.

“Developing those resiliency procedures to go without technology, to deliver safe and quality patient care for up to 30 days, unfortunately, as we've seen in these ransomware attacks, without the benefit of technology,” Riggi says.

Kim says training of staff on response plans is essential, especially since younger clinicians and staff have worked their careers in a digital environment. They need training on how to work if technology isn’t available.

“People that are now coming up, or people in medical schools, nursing schools, etc, they don't necessarily remember how to manually process things, how to run things,” Kim says.

For more insights on cybersecurity, guidance for large and small health systems, response plans, watch the full video.

Our series on cybersecurity

If you missed the previous episodes in this series, there’s some valuable insights for hospitals and health systems.

In our first installment, our experts examined the scope of cyberattacks in healthcare.

In the second week, our panel looked at the risks hospitals face from attacks aimed at vendors and business partners.

Last week, our experts outlined the progress hospitals are making in cybersecurity and the problems they continue to face.

We’d like to thank the American Hospital Association, HIMSS, and Providence for their invaluable assistance.