How Hospitals Can Protect Against Ransomware: Expert Advice

In the wake of last month’s WannaCry ransomware attack, which caused chaos at hospitals in the United Kingdom, and at a time when large-scale health care data breaches have often dominated headlines, experts are urging health care organizations to double down on their commitment to cybersecurity. The good news for hospitals and health systems? The steps they can take to protect themselves are often simple ones, as health care analyst Paul Keckley emphasizes in a new column published in Hospitals & Health Networks Magazine. As Fierce Healthcare first reported, Keckley offers a series of tips for hospitals seeking to defend against ransomware attackers. “It is a local hospital’s preparedness that’s key to prevention,” he writes. “In general, hospitals must make cybersecurity a high-priority concern at every level of operations.”

The risk of attacks, Keckley notes, is significant, as “hospitals have been dubbed the ‘perfect mark’ for ransomware attacks because access to patient health information is essential for providing critical care and organizations therefore are willing to pay to get their systems up and running quickly.” To that end, cybersecurity should be prioritized. First, Keckley recommends ensuring that all “operating systems, browsers, and applications” within an organization are updated at all times, along with every device operating on its network. Similarly, keeping abreast of federal policy changes in this area is crucial. Also important: working with staff on best practices. “Investing in employee awareness and training, implementing troubleshooting techniques, and data protection must be ongoing and adequately funded to prevent the hospital becoming the target of disabling ransomware or experiencing a major breach,” says Keckley. He suggests distributing manuals on cybersecurity practices to all staffers, and making sure that they are all using “stronger passwords” on their devices. Finally, backing up all important files and not clicking on suspicious links is essential.

In related news, a new report issued by a Department of Health and Human Services (HHS) taskforce dedicated to enhancing cybersecurity among U.S. health care organizations was critical of the degree to which health care organizations have failed to prioritize data security. The Health Care Industry Cybersecurity Task Force, convened after the 2015 passage of the Cybersecurity Act, found that organizations’ cybersecurity challenges could negatively impact their efforts to work toward greater interoperability—a key goal when it comes to improving the quality of health care. “The health care system cannot deliver effective and safe care without deeper digital connectivity,” the authors note. At the same time, “If the health care system is connected, but insecure, this connectivity could betray patient safety, subjecting them to unnecessary risk and forcing them to pay unaffordable personal costs. Our nation must find a way to prevent our patients from being forced to choose between connectivity and security.” The report identifies a range of reasons for the industry’s current security challenges, including limited budgets for cybersecurity measures at many organizations and the fact that many are relying on outdated technology, and makes a series of recommendations. Among them: Working to “define and streamline leadership, governance, and expectations” in the industry, building the necessary workforce capacity to prioritize cybersecurity, and working to “increase the security and resilience of medical devices and health IT.”

Click here to read the article from Fierce Healthcare on cybersecurity advice for hospitals. 

Click here to read the cybersecurity tips from Hospitals & Health Networks.

Click here to read the report from the Health Care Industry Cybersecurity Task Force.


Leave a Reply