An upward trend in cyber-attacks and data breaches, particularly phishing, on the healthcare industry has pressured many hospitals, including Cambridge Health Alliance, to put more focus on cybersecurity, both in its networks and on its staff. However, Dr. Brian Herrick, chief medical information officer at Cambridge Health explains that worrying about security is difficult when so many things are going on at once – it’s a balancing act. “You have the patient interaction, you have the computer, you have security and you’re actually trying to think clinically about what to do next,” said Dr. Herrick. Healthcare organizations are required by law to protect patient information. However, as Dr. Herrick explained, a simple phishing email could easily slip through the cracks if a doctor is rushing to get patients in and out the door as quickly as possible, as was likely the case in recent ransomware attacks at Hollywood Presbyterian Medical Center, MedStar Health and many others.
Cybersecurity experts see this trend of attacks moving from the financial industry in previous years to healthcare due to inefficient cybersecurity practices, the immense value of healthcare records and perhaps most importantly, the willingness of these organizations to pay ransoms due to the life-threatening consequences of downed systems. In response, Dr. Herrick says cybersecurity has risen to one of their “number one concerns” as they are focusing on new measures to make cybersecurity seamless and easier to use. One example Cambridge Health is currently working on is moving away from passwords for user authentication to prevent phishing attacks. “Whether it’s using a fingerprint or inking your card and eliminating all those things you initially need to think about … and [ending] that habit or trend to use the same password across all platforms and applications,” said David Ting, co-founder of hospital cybersecurity firm Imprivata.
Additionally, hospitals attempt to raise alertness through staff testing – IT security departments regularly send out phishing-style emails attempting to fool the staff on clicking on a link. They also offer online tutorials on spotting malware which has led to a 97 percent pass rate for their staff. “They think before they click … and we give them tools to figure out if something may or may not be phishing.” Hospitals have also begun hiring outside facilitators for simulated emergency response drills testing hospitals’ responses to data breaches, transitioning awareness in cybersecurity from the executives to the medical processes in the hospital. No healthcare organization is immune to an attack but increased attention and experience will ideally push cybercriminals away from the healthcare sector.