Hospital Security Checklist

According to Accenture’s Cost of Cyber Crime Study 2019, the annualized cost of cybercrime for companies in the healthcare industry increased from $1.4 million to $13.0 million. The report also showed a significant increase in cyber attacks – ransomware attacks have increased by 11% from 130 to 145. The two most costly attack types were malware and web-based attacks, and the most expensive consequence of cyber crimes is information theft. Data breaches present a serious threat to patient care because they compromise normal workflow and lead to care unit closures stalling and halting operations and care delivery.

All the facts show that improving hospital cybersecurity can save a big part of the budget by reducing the cost of cybercrime and opening up new revenue opportunities. For example, hospitals can save $5.2 trillion of future revenues over the next five years if they will deal with vulnerabilities.

It should also be mentioned that hospital cybersecurity threats related to patient records and disruption of medical technology are perceived by Moody’s Investors Service as the key factor affecting hospital credit ratings. When it comes to cybersecurity threats, hospitals should keep in mind that they can be a target of cyber attacks and thus they should identify potentially vulnerable areas in hospital IT systems and reassess management and the protection of data.

Old Technologies are One of the Loopholes

Legacy systems and applications are still used in healthcare and create hospital cybersecurity threats as well as obsolete operating systems, such as Windows XP which is no longer updated by Microsoft and has no patches to screen vulnerabilities.

US hospitals use hundreds of pieces of legacy medical hardware and software that pose a great risk to cybersecurity in healthcare. Why do they use those legacy systems? The answer is money. Medical equipment and software are very expensive. For example, a state-of-the-art MRI machine costs about $2.6 million on average, the cost of an ultrasound machine varies from $10,000 up to $200,000, and the license fees for a server-based EHR system is about $75,000 each with overall costs of $25-$50 million for a 500-bed hospital.

Healthcare organizations cannot afford to buy new hardware and software every year. Many hospitals still use software that is not supported by manufacturers, and legacy information and communication systems are a perfect way to infect hospital IT systems with malware.

At the same time, legacy systems play an important role as they support key functions. Very often they don’t get any updates, so these systems make for easy pickings for hackers. Integration of these legacy systems toward new, state-of-the-art communication systems is a time-consuming, laborious process involving complicated programming and a lot of manual steps. However, pulling data from disparate legacy systems to create a single database is just a matter of time as HIPAA compliance makes it a pressing matter.

The Key Problem Areas of Information Handling in Hospitals

According to the study of the state of cybersecurity and cyber threats in healthcare organizations, there are several key areas that pose risks to information security.

At the organizational level, the main issue is the lack of funding – the budgets allocated to Information Security are much lower than in other industries and facilities cannot afford to retain in-house information security personnel.

Another source of problems is the lack of resources – very often security matters are handled by the IT staff that has no sole leader responsible for information security and no security operations center to identify and evaluate threats. And the third problem area at the organizational level is the lack of hospital staff training. Medical and administrative staff are often unaware of basic practices and the threat landscape.

There is also a technical level of the problem. Most hospitals do not know their IT infrastructure and the vulnerabilities it has. It is the reason why updates and upgrades are not timely, devices are misconfigured and legacy systems are kept online even if they are not used.

Many hospitals do not track, report, and manage threats effectively – as they seldom log network or system events and monitor attacks to detect cyber attacks (both present and past ones). Though the capacity to analyze and translate the threat data could help them reduce damages and identify loopholes.

Very often the IT infrastructure of hospitals is built without taking into account security matters – the lack of security controls makes it possible to access important information without proper rights and, moreover, diverse information and communication systems of a hospital, such as EHR portals, medical devices, tablets, smartphones, and wearables can freely communicate with each other without proper data protection. This poses 2 major risks – infection of the systems with malware and data leaks, and the possibility to access medical devices connected to patients.

And, of course, we should mention such a simple thing as physical threats. In most healthcare facilities it is quite easy to get physical access to the hospital network – WiFi connections are available in most hospitals, patient rooms offer connections to the network through open ports for plugging in medical devices, and the outdated equipment and devices themselves with unnecessary internet connectivity also add further risk. So, these network entry points can be used by hackers to access hospital data.

What Healthcare Organizations do to Boost Hospital Cybersecurity

Things are not all bad, however. Developments in technology and a complex regulatory environment make cybersecurity a growing issue for hospitals and their boards. According to Accenture, cybersecurity program maturity is shifting to the middle stages, i.e. cybersecurity program activities are planned and defined by organizations, though deployed only partially.

AHA suggests that hospitals can prepare and manage cybersecurity risks by making cybersecurity “a part of the hospital’s existing governance, risk management, and business continuity framework”. The American Hospital Association also rated hospitals implementing cybersecurity measures and the 2019 CHIME HealthCare’s Most Wired Survey showed that the majority of hospitals are already taking many important security steps, such as:

  • Unique identification of system users
  • Automatic logoff of system users
  • Required use of strong passwords
  • Passcodes for mobile devices
  • Use of intrusion detection systems
  • Encryption of wireless networks
  • Encryption of laptops and/or workstations
  • Encryption of removable storage media
  • Encryption of mobile devices, etc

As we can see, the situation is improving, but there’s still a long way ahead to make hospital IT infrastructure really safe. It is always necessary to have a checklist for hospital cybersecurity at hand and to take steps to keep your IT systems secure and compliant.

Hospital Cybersecurity Checklist

Identifying the Problems

You need to identify and clarify all input data before you will engage in this issue.

  1. Is your staff’s cybersecurity awareness sufficient? Most hospitals are focused on the medical aspect of the business. They upgrade medical technology, train, and employ good specialists to provide better care and save lives. Cybersecurity is also very important for ensuring the quality of care and even saving lives. Hospital administration and staff must be aware of best practices in the industry and cybersecurity policy used by the facility.
  2. Are they aware that healthcare facilities are attractive to hackers? The number of attacks is growing in every industry, and healthcare organizations are low on cybersecurity whilst they handle data on thousands to millions of people, including financial data, which is very lucrative for cybercriminals.
  3. The bigger the healthcare organization is in size, the greater the threat. The larger size of a healthcare organization, the more people are involved in the system. And, the more people are involved, the more points of potential exploitation exist.
  4. Are your processes consistent? The big hospitals and healthcare organizations can face difficulties while creating and enforcing consistent security standards and processes. “Best practices” and security measures must be identified and unified for all departments.
  5. Are your networks protected? Most hospitals rely on large, shared wireless networks including many different devices, which create vulnerabilities.

Steps to Take

What can hospitals and healthcare facilities do to get more prepared and protected?

  1. Use better technology. Hospitals can adopt more state-of-the-art technological solutions to protect patient data and prevent their systems from being attacked. These include more advanced software, such as multifactor authentication, and best practices used in other industries, such as tokenization, blockchain technology, better monitoring systems, and biometrics-based security applications.
  2. Boost cybersecurity to one of the top priorities for infrastructure advancements. Most healthcare organizations have some budget for cybersecurity improvement, but simply do not pay enough attention to this matter. However, one good reason to keep it in mind is the high cost of data breaches. Just one experienced administrator or a better cybersecurity system can drive substantial improvement.
  3. Make your networks more secure. Shared hospital networks must be segmented, encrypted, and fit with strict policies about bring-your-own-devices (BYOD) and access rights.
  4. Purchase insurance if you can afford it. Cyber insurance is a trend in many financial services organizations, and it can be a good solution for healthcare facilities, too.
  5. Train your staff and patients. Human errors that open doors for phishing attacks are the top cause of data breaches today. Therefore, healthcare organizations need to inform both their staff and patients about the best practices for cybersecurity. You can use handbooks and information leaflets, all kinds of seminars and workshops, emails, and even educational apps to keep your staff informed and alert about potential breaches and vulnerabilities.
  6. Outsource IT specialists who know all the traps and pitfalls. If your facility does not have enough cybersecurity professionals you can use the experience of those who know how to deal with the problem. Choose a company that is HIPAA compliant and ISO-certified and has solid experience in healthcare IT. This will help you get a state-of-the-art cybersecurity system and reduce costs and decrease contracting costs as you won’t have to hire full-time employees and buy additional computer equipment for the staff.
Maxwell Travers, Content Contributor
Maxwell Travers, Content Contributor