What I Told Congress: Healthcare’s Under Attack from Cyber Criminals

A few weeks ago, I was honored to take part in a panel hosted by the House Committee for Homeland Security that discussed cyber security in healthcare and what cyber attacks mean not only for patients, but for doctors and hospitals as well.

The panel was held at the Rayburn House Office Building and sponsored by Rep. Bennie G. Thompson. It included individual presentations by myself, John Riggi, the senior advisor for cyber security at the American Hospital Association; Dr. Oscar Alleyne, senior advisor for public health programs at the National Association of City and County Health Officials; and Greg Wolverton, CTO at CSI Solutions, followed by a Q&A with audience members.

As the panel discussed, the healthcare industry currently finds itself in a difficult situation as it relates to cyber risks.

Healthcare systems hold vast amounts of valuable information, but the industry has largely been slow to adopt modern cyber security practices. For example, 75% of healthcare organizations spend 6 percent or less of their information technology budget on cyber security, which is about half of other, more security mature industries.

Cyber criminals know this and look to take advantage. For example, ransomware has become a popular way to attack healthcare systems—because hackers know that hospitals cannot allow their systems to go dark for any length of time and so will quickly pay the ransom to get systems operational again.

This, of course, is just a small part of the security challenges that healthcare organizations face. From detailed patient records to proprietary business information and leading-edge research, hackers have major incentives to attack healthcare organizations. Health data is rich and can be monetized in many ways, and cyber criminals are keenly aware of that.

How Can Health Organizations Better Protect Themselves?

The first thing healthcare organizations should realize is that compliance does not mean security. Organizations need to move from making decisions driven by compliance requirements to making decisions based on security objectives – and they need to be nimble enough to update these objectives as the cyber threat landscape changes.

They need to adopt a defense in-depth approach with security defenses implemented at every relevant security control point. That includes every network component, connection point, mobile device or IoT-connected technology as well as traditional servers and workstations.

Healthcare organizations that want to greatly improve their security should follow these best practices:

• Educate leadership to understand that cyber security is a business risk, not just a technology risk. A cyber security attack can severely affect operations and the ability to serve patients, so the organization’s leadership must understand the importance of sound cyber security and support it on a strategic level.
• Select the right, overarching cyber security framework that guides your strategy and tactical decisions alike. For example, the NIST Cyber Security Framework is one increasingly being adopted by healthcare organizations.
• When developing a cyber security strategy, get buy-in from all internal and external stakeholders.
• Assume that you will be breached. Sound incident response requires everyone to be on board, and to understand their role in responding to an incident. Incident response in healthcare is complex and often requires clinical, business, and cyber security trade-offs.

Healthcare organization face a gigantic challenge in protecting their data, a task that continues to grow harder and harder. I am thankful for the opportunity to share my thoughts on Capitol Hill and for my fellow panelists who stepped up to support the greater mission. The onus is on all of us to work together and collaborate in making healthcare a more secure place.

If you found this information useful, you may also enjoy:

• Cyber Security and Healthcare: An Evolving Understanding of Risk