Can We Fully Prepare For Cyberattacks?

These days, it might seem like every other headline is about a large-scale health care data breach or ransomware attack. Indeed, an Accenture study from earlier this year found that 26 percent of Americans have had their data breached. And this May, the “WannaCry” ransomware attack caused chaos around the world, including for health care organizations; more recently, credit-reporting agency Equifax announced that as many as 143 million of its customers may have had their personal data stolen. In what’s become a familiar trend following these incidents, security experts are again warning that the health care industry is underprepared when it comes to cybersecurity—and that it may not even be possible for hospitals to fully equip themselves to deal with such incidents. As Fierce Healthcare first reported, a new article published in Annals of Internal Medicine highlights the cybersecurity difficulties that health care organizations face today. “There are things we can do to reduce the risk but it is very hard to perfect IT security, especially given the needs of modern hospital systems to have things moving between places and increasing demand for patient-facing access,” I. Glenn Cohen, one of the authors, explained in a press release. “To some extent, these attacks are inevitable.”

The authors, who hail from Brown University, Case Western Reserve University, and Harvard, recommend actions that both individual hospitals and the federal government can take to prevent and better respond to ransomware and other cyberattacks, while noting that, again, complete preparedness may be impossible. “We need a coordinated national effort,” Brown’s Eli Adashi, who teaches medicine at the university, said. Such steps could include interagency efforts to provide clear cybersecurity guidelines to hospitals. For their part, hospitals and health care organizations should prioritize “workforce training, retaining cybersecurity expertise, patching operating systems, and reporting attacks promptly to authorities.” Further, collectively, “hospitals should consider committing to a principle of ‘non-payment’ of ransoms to hackers…akin to the U.S. government policy of not paying ransoms to terrorists.”

In related news, new data released this past week shows the widespread impact that recent health care data breaches have had. As Health IT Security reported, data from the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) on 2017 incidents showed that the largest three breaches alone might have affected as many as 1,497,800 people. OCR also examined the root causes of those breaches and other incidents, finding that hacking, phishing, and ransomware schemes were involved in the most incidents. “These incidents further show why organizations need to take the time to regularly review their physical, technical, and administrative safeguards,” Health IT Security’s Elizabeth Snell noted.

Click here to read the Fierce Healthcare article on the Annals of Internal Medicine cybersecurity piece.

Click here to read the Brown University press release on the Annals of Internal Medicine cybersecurity piece.

Click here to read the Health IT Security article on the new OCR data. 


Leave a Reply