Like any large company, a modern hospital has hundreds or thousands of workers using computers, smartphones, and other electronic devices that are vulnerable to security breaches, data thefts, and ransomware attacks.
Hospitals are unlike other companies, though, in two important ways:
1. They keep medical records.
2. Hospital electronics help keep patients alive, monitoring vital signs, administering medications, and breathing and pumping blood for those in the most dire conditions.
A 2013 data breach at the University of Washington medical group exposed about 90,000 medical records and resulted in a US$750,000 fine from federal regulators. In 2015, the UCLA Health System, which includes a number of hospitals, revealed that attackers accessed a part of its network that handled information for 4.5 million patients.
Cyberattacks can interrupt medical devices, close emergency rooms, and cancel surgeries.
Protecting hospitals’ computer networks is crucial to preserving patient privacy. Research shows that the health care industry lags behind other industries in securing its data. A major challenge in hospitals’ cybersecurity is the large number of devices with access to hospital systems.
These include mobile phones, tablets, desktop computers and servers, but they also have large numbers of patients and visitors who come with their own devices as well. Each of these items is a potential on-ramp for injecting malware into the hospital network. Hospital officials could use software to ensure only authorized devices can connect, but even then, their systems would remain vulnerable to software updates and new devices.
Another weakness comes from medical equipment offered as free samples by device manufacturers who operate in a competitive market. Our research suggests that hospitals need stronger processes and procedures for managing all these devices.
Getting hospital administrators to understand the importance of cybersecurity is fairly straightforward. They told us they’re worried about costs, institutional reputation, and regulatory penalties. Getting medical staff on board can be much more difficult. They are more focused on patient care and don’t have time to worry about cybersecurity. People typically treat cybersecurity protections as secondary to what they’re trying to get done.
These experiences are why we concluded that budget limitations are not as crucial to hospital cybersecurity as employee involvement. A hospital can buy as many pieces of hardware and software as it wants. If workers aren’t following organizational procedures, the technology won’t keep hospitals safe.
We have discovered that cybersecurity is as much about managing people as it is about technology. Hospitals need to think beyond compliance. And with so few hospitals well-defended against cyberattacks, all hospitals appear more attractive as potential targets. In our view, it’s not enough for hospitals to improve their own defenses. They should manage, and evaluate the security of the devices on their networks and ensure medical staff understand how good cyber-hygiene can support good patient care.
Policy makers and health care leaders and hospitals themselves should work together to make the industry as a whole less susceptible to attacks that threaten people’s privacy and their very lives.