Cindi Bassford and Harry Greenspun, MD, discuss the inevitability of cyberattacks in healthcare and the importance of organizational preparedness.
As cases of COVID-19 escalated rapidly in March 2020, I began inventorying emergency supplies even though schools and restaurants were still open in Maryland.
Then, on March 17, 22 new cases were reported, doubling a few days later. On March 20, as neighbors stocked up on essentials, I made a highly unusual purchase—a Wahl “Home Haircut and Grooming Kit”—anticipating that the barber shop would soon be closed. Nine days later, my wife gave our boys and me the first of many “COVID cuts.”
I was reminded of this notion of preparing for the inevitable before “the clippers” were unobtainable when talking with my colleague Cindi Bassford, partner at Guidehouse, about cybersecurity in healthcare.
Cyberattacks against organizations have become inevitable.
They are especially problematic in healthcare, a favored target for hackers. Ransomware attacks, representing nearly half of healthcare data breaches, bring clinical care to a halt and force critical patients to be rerouted to other facilities.
Despite increased warning signs, many institutions were unprepared when COVID-19 hit. As Cindi highlights in our discussion, common problems for organizations include the lack of thoroughly inventoried systems, updated security, and fully understanding the implications of operational decisions.
While electronic health record data is often the focus of data security, vast numbers of connected medical devices (60% of which are at end-of-life with no patches or upgrades available), bring new vulnerabilities. Furthermore, the pandemic has exacerbated these issues as many in the workforce connect from home on personal devices, falling victim to phishing, social engineering, and other hacks.
After an attack, leaders found they had inadequate backups, training, and processes in place to avoid further damage.
Equally as troubling, many leaders failed to engage a cybersecurity partner ahead of the attack and were forced to scramble, only to find that most firms were already committed to other clients. Beyond delaying their response, it added to the cost.
As a recent cyber panelist said during HIMSS 2021, “You may be able to negotiate with a ransomware attacker, but you won’t be able to negotiate with a cybersecurity firm if you cold-call them after an incident.”
Perhaps one unexpected consequence of the inevitability of attacks is a change in organizational attitude and culture. Historically, cybersecurity has primarily been the chief information officer’s responsibility, and a breach was that person’s failure. Now, cybersecurity is a collective responsibility, requiring everyone to do their part to protect the network, with both administrative and clinical leadership.
When an attack does occur, it creates an opportunity for organizations to shine through response and recovery.