Why hospitals struggle with cybersecurity: ‘We aren’t doing the basics’

Wes Wright has spent nearly three decades in healthcare information technology, with much of it in the hospital industry.

He’s held leadership posts at Scripps Health, Seattle Children’s, and Sutter Health. So he’s well versed with the specific challenges hospitals face in cybersecurity.

Wright, the chief healthcare officer at Ordr, a cybersecurity firm, has great empathy for healthcare organizations struggling with ransomware attacks. But he says many healthcare organizations are especially vulnerable because they are faltering with some fundamental steps.

“We aren't doing the basics well,” Wright tells Chief Healthcare Executive®.

Wright estimates that at minimum, half of all healthcare networks are “flat networks, in that they can talk to everything.”

“That’s just not good network hygiene,” he says. “You’ve got to contain your blast radius … that's a fundamental piece of network hygiene that is really not sexy, but is really effective.”

(See part of our conversation with Wes Wright. The story continues below.)

Beaten on fundamentals

More than 31 million people have been affected by the 10 largest health data breaches this year, but that number will likely grow.

Hospitals and health systems nationwide have been rattled by the ransomware attack of Change Healthcare, a subsidiary of UnitedHealth Group. Change Healthcare handles business functions, including processing claims, for a wide array of providers, and the disruption of services took a financial toll on almost all of the hospitals and medical groups in the country. UnitedHealth has said many Americans are likely to be affected.

The Ascension health system also suffered a significant attack that affected patient care, as some hospitals had to divert ambulances and some non-emergency surgeries were postponed.

Yes, ransomware groups are deploying advanced tools, but Wright says that’s not the only reason some breaches have been so damaging.

“It's all about fundamentals,” Wright says. “That's where we're getting beaten, is in the blocking and the tackling.”

Wright stresses the importance of hospitals segmenting systems, explaining that some computers and devices should be on different networks, which will make it easier to contain a breach.

With the Ascension cyberattack, the system said the breach occurred when an employee inadvertently downloaded a malicious file. Ascension said it appears to have been an “honest mistake.”

One individual’s mistake shouldn’t be able to cause such damage to a health system with 140 hospitals, Wright says. It took weeks for the health system to restore its electronic health records.

“That's the blast radius,” Wright says. “That PC shouldn't have been able to talk to as much stuff as it was able to talk to, that's the cut and dried of it.”

With the Change Healthcare attack, UnitedHealth Group CEO Andrew Witty said at a Senate Finance Committee hearing that the breach occurred in a system that didn’t require multi-factor authentication, a common measure used in cybersecurity (such as entering a password and a separate numerical code to gain access). Witty said that Change Healthcare is working to upgrade its security.

Healthcare organizations need to deploy multi-factor authentication “on anything that’s external facing,” Wright says.

• Read more: Healthcare lags other sectors in cybersecurity

Do an inventory

Hospitals and health systems that are looking to improve their cybersecurity should focus on another fundamental, Wright says. They need to get an accurate inventory of all of their devices that are connected to the internet, and each other.

Health systems need an inventory “of everything you own,” Wright says.

While it may seem surprising that some hospitals don’t have a count of all of their devices, Wright estimates that “90% of the healthcare networks out there do not have an inventory of everything that connects to their network.”

“If they're hooking up to my network, I need to know that they're hooking up to my network. And by and large, we don't,” Wright says.

He likens the task to wrangling horses.

“It's trying to get the horses back in the barn, after they've escaped,” Wright says.

“And taking this analogy to its bitter end, we’ve got to get those horses that are in one big barn together, we got to get them in their paddocks, into their stables and get them separated from each other, and that's fundamentally, I think, what will save healthcare.”

When hospitals have a comprehensive list of all their connected devices, then they can look at segmenting some systems from each other.

“You’ve got to get all that stuff so that then you can start slicing it and protecting it from each other,” Wright says. “That's fundamentally what has to happen. So then when somebody makes a mistake, a forgivable mistake and understandable mistake, it might affect their next 10 co-workers, but it's not going to take down a 140-hospital system.”

• Read more: Cyberattacks of hospitals lead to busier emergency departments elsewhere

Setting standards, with help

Hospitals face a difficult task because the vast majority of all records are now digital.

“That just exponentially increased our attack surface in healthcare,” Wright says.

For smaller hospitals and health systems that are barely covering expenses, cybersecurity is a particularly daunting problem, Wright says. Some health executives face the choice between upgrading cybersecurity or ensuring critical services, such as operating the only MRI service within 100 miles, he notes.

He’s applauded some leaders, such as U.S. Sen. Ron Wyden, D-Ore., who have called for tougher minimum cybersecurity standards for hospitals and other providers.

Wright says such standards are needed, but hospitals and health systems should get federal aid to help meet those standards.

“Let's get everybody up to that level, and give them some funding to get there,” Wright says.

The government has also weighed penalties for hospitals falling short of cybersecurity standards. Wright says there could be some value in a tougher approach, but not before hospitals have been given the funding and tools to meet minimum cybersecurity standards.

“Until we help them get there, let's keep the stick in the closet,” Wright says.