Protecting Patient Privacy: Cybersecurity Priorities For Healthcare

Uploaded on 2024-11-25 in FREE TO VIEW, BUSINESS-Services-Health & Welfare

promotion

For criminal masterminds, hospital infrastructure poses itself as an alluring target for malware, mayhem, and disruption.

The recent ransomware attack on Change Healthcare is just one example of this - with prescription deliveries being delayed or disrupted across America, all to the tune of a suspected $22 million ransom payment.

What are hospital IT professionals doing to address cybersecurity risks across the industry? As it turns out, a lot - as healthcare leaders become increasingly informed about the risks to their networks, professionals around the nation are working together to help protect against the threat of rogue states and other professionals.

Cybersecurity isn’t just the responsibility of system administrators, however - it’s important to note that every hospital professional, no matter whether you’re a recent graduate of an accelerated MSN program or an experienced clinician, we all have a role to play in keeping hospital networks safe and patient data protected.

Cybersecurity Is Increasingly Significant

According to research conducted by Kodiak Solutions, cybersecurity and data privacy continue to be a key risk area for healthcare management across America. Healthcare providers are lucrative targets, often because of the sheer volume of isolated systems that administrators and other key personnel have to work and protect.

A single successful cyber attack can potentially disrupt a healthcare provider, sometimes for weeks. While this can often seem like an idea from a wargaming session, unfortunately, there have been real and disruptive examples of ransomware attacks disrupting hospitals for extended periods.

Two significant attacks in the last year have included ransomware attacks on Ardent Health Services in November 2023, and Change Healthcare, in early March 2024. These attacks were significant - in the case of Ardent Health, patient data was copied and stolen from their ransomed system.

The attack on Change Healthcare’s ransomware has been much more significant. In the weeks since the attack was discovered and reported, it has resulted in substantial and ongoing disruptions to medical claims systems - resulting in significant impediments for clinics and practices to be able to submit insurance claims.

The Importance of Preparedness

The cyberattacks on Change Healthcare and Ardent Health highlight just how broad and varied the impacts can be. While you may not be able to protect against every type of attack, it’s important to consider how an organization may be able to prepare to respond when a cyberattack inevitably does occur.

Researchers from research advisory Gartner describe the notion of cybersecurity in terms of four key elements - proactive identification of risk, recovery or response procedures in place, enterprise-level learning and education, and practice.

By incorporating each of these elements into a cybersecurity framework, medical organizations can be prepared for cyber threats and feel confident in their ability to manage them effectively.

Consider, for example, if Change Healthcare had a recovery procedure in place to restore systems, rather than paying a suspected significant payout to ransomware owners during a recent attack on their systems. While it may not have entirely prevented an attack, it may have been a significant step in repairing compromised systems.

The provision of enterprise-wide learning opportunities may have been able to help medical personnel spot the signs of an intrusion and flag for assistance before any major attacks began. As you can see, these four key elements can all play a vital role in the protection of hospital assets.

Embedding Cybersecurity Within Healthcare

Cybersecurity doesn’t have to be solely the responsibility of IT professionals and system administrators. It’s important to highlight that no matter whether you’re a registered nurse or a hospital cleaner, there are things that you can do to help protect the digital landscape around you.

One hospital system that has had great success in fostering a preparedness culture has been Jackson Hospital in Florida. In January 2022, hospital staff experienced issues with patient charting software, a tool that’s vital to their work. Contacting IT staff, the Jackson Hospital IT team was able to rapidly identify that a third party had introduced dangerous malware to their emergency room charting system.

By having a prepared and aware team, IT director Jamie Hussey was able to rapidly activate contingency plans, isolating hospital IT systems while staff switched to paper and pen recording with minimal impact on patient care. Over the next two days, Jackson Hospital was able to perform a root cause analysis of the infected system, and slowly restore and recover other adverse systems.

The impact? While the ER charting system was down for about a week, Jamie’s team was able to restore other key systems safely within three days, with no loss of patient data and no degradation in patient care.

By embedding a culture of preparedness within the Jackson Health team, the IT director was able to make rapid decisions that meant the difference between a short-term outage for the hospital system, and a long-term, ongoing intrusion. The incident at Jackson Health is a great example of how a prepared and aware team can be a protected team.

The Changing Regulatory Environment

As cyber threats evolve, it’s important to not only prepare and protect against potential cyberattacks but to also stay informed on regulatory requirements. One such example of cybersecurity regulation that impacts the US healthcare industry in particular is the Cybersecurity Act of 2015 - Section 405(d).

In part, this act convenes a task group between the Department of Health and Human Services, as well as key stakeholders, leveraging the knowledge of industry professionals and providing ongoing publications on how healthcare providers can improve cybersecurity standards. It is essential reading for any information security professional, as it can help shore up cybersecurity awareness and preparedness within an organization.

Cybersecurity is a constant and ongoing threat - in the years to come, we can only begin to imagine how hospital systems will become vulnerable to ransomware and malware attacks. It’s critical to note, however, that hospital staff can take steps today that will help protect infrastructure and patient data against oncoming threats.

It may seem challenging and complex to protect data against the challenges of cyber threats - but for many organizations, it’s a small cost now to inoculate yourself from the large costs of ransoms and infrastructure repair.

It’s time for organizations to put their cyber awareness to good use - after all, your network infrastructure may just be the next target.

Image: Tima Miroshnichenko

You Might Also Read: 

Hackers Target Healthcare:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Practice Makes Perfect For Incident Response
Google Invests In U.S. Education With 15 New Cybersecurity Clinics »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

QinetiQ

QinetiQ

QinetiQ is one of the world's leading defence technology and security companies. Areas of activity include air, land, sea and space systems, weapons, robotics, C4ISR and cyber security.

Kramer Levin

Kramer Levin

Kramer Levin is a full-service law firm with offices in New York and Paris. Practice areas include Cybersecurity, Privacy and Data Protection.

Identity Automation

Identity Automation

Identity Automation is a leading provider of Identity and Access Management software.

InAuth

InAuth

InAuth Security Platform delivers advanced device identification, risk detection, and analysis capabilities to help organizations limit risk and reduce fraud.

Cyber Akademie (CAk)

Cyber Akademie (CAk)

Cyber Akademie is a training and education center providing high-quality training and information events on information security and data protection.

DTS Solution

DTS Solution

DTS Solution delivers advanced cyber security solutions through is technology partnerships with industry leading security vendors and advanced consulting services.

CyberArrow

CyberArrow

CyberArrow (formerly EBDAA) is a consultancy company providing high quality consultancy services in Risk & Compliance and Awareness & Education.

Clym

Clym

Clym is the data privacy platform that helps organisations meet their data protection obligations. Cookies, Consent, Requests, Policies and more are all managed in a secure and adaptive application.

Center for Applied Cybersecurity Research (CACR) - University of Indiana

Center for Applied Cybersecurity Research (CACR) - University of Indiana

CACR serves Indiana and the nation by tackling cyber risk in research and other unusual environments through agile, holistic, principle-based cybersecurity.

Cynterra

Cynterra

Cynterra is a next generation cloud cyber security and data analytical service provider offering cloud security compliance, data protection, visibility and threat protection services.

Great American Insurance Group

Great American Insurance Group

Great American's Cyber Risk Division offers cyber solutions for small and medium-sized businesses.

Singtel Innov8

Singtel Innov8

Singtel Innov8, the venture capital arm of the Singtel Group, invests in and partners with innovative technology start-ups globally.

Cyber Unit

Cyber Unit

Cyber Unit offer next level protection from cyber attacks in packages and pricing options that are accessible to smaller organizations.

Allurity

Allurity

Allurity is a group of tech-enabled cybersecurity service providers, comprised of best-in-class experts with a common mission to enable a safe digital world.

Qeros

Qeros

Qeros is a next-generation distributed system enables secure data and transaction processing at the velocity of thought.

Troye Computer Systems

Troye Computer Systems

Troye provide a complete range of digital workspace solutions that empower people to do their very best work in a safe and secure manner anywhere, anytime, using any device.