In the July/August issue of, The Journal of Medical Practice Management, Bruno Kelpsas and Adam Nelson authored an article: “Ransomware in Hospitals: What Providers Will Inevitably Face When Attacked,” and describe the following scenario:
One Friday, Sally, a member of a local hospital’s finance team, receives an overdue billing statement from a vendor's email address. Being the end of the month, she considers this email a routine part of billing and reporting. Sally opens the email, as well as the attached contract in Word format. Suddenly, Sally’s monitor turns to a red screen, beginning with the word CryptoLocker.
Sally froze. She had heard about cyber threats in training, but in her trusted vendor's billing statement? Who would be as sophisticated as that? Sally immediately picked up the phone and called the IT department.
Currently, the healthcare industry is responding to compromises on a reactive basis, much like the way in which the financial services industry simply replaces consumers’ credit cards after a retail breach, such as the recent attacks on Target and Home Depot. This security mindset is predicated on a lack of enforcement, the absence of appropriate penalties, and a culture of risk mitigation. Due to this attitude of acceptance, patients are consistently at risk of having their personally identifiable information compromised. To reset how healthcare organizations think about cybersecurity, measures must be taken proactively to protect businesses against impending attacks. Otherwise, breaches are likely to continue until stricter enforcements and penalties are put in place for healthcare companies and stakeholders.
All organizations need a proactive and comprehensive cybersecurity plan. However, although many operations have the “right” plan and necessary hardware, software, and processes in place, the reality is that many do not have the time and resources to implement their response plan and fulfill the necessary documentation requirements for HIPAA, the SEC, and State regulations, in addition to ensuring business continuity. Therefore, to get started, healthcare organizations must focus on the four pillars of security:
- Governance risk and compliance;
- Security monitoring and management;
- Threat intelligence; and
- Incident response.
Once the strategy is developed and implemented, companies must conduct an internal review and gauge where teams will align with internal security: Be out of the security business, own some of it, or close the gaps. Ensure there is balance between managing the unexpected and current resources.
The healthcare industry is the #1 industry targeted by attackers. It is imperative for organizations to reevaluate the way they approach cybersecurity, rather than resting on their laurels in what is currently seen as the “new normal” security mindset.
The Journal of Medical Practice Management