Cybersecurity experts say that the two biggest threats to healthcare cybersecurity are insider threats and ransomware.
John Riggi, senior advisor for cybersecurity and risk for the American Hospital Association, said impact ransomware attacks have been accelerated by the COVID-19 pandemic. These kinds of attacks are responsible for disrupting healthcare delivery and putting patients' safety at risk, according to Mr. Riggi.
But, "no organization can 100 percent prevent these attacks," said Mr. Riggi.
Impact ransomware can take down a health systems' network for up to four weeks, meaning health systems have to prepare their downtime procedures.
"We are seeing now that hospitals understand that they must prepare for downtime procedures and clinical downtime procedures beyond 96 hours," Mr. Riggi said. "They have to look at how they can continue safe, high quality patient care, for about three to four weeks."
The other threat to healthcare cybersecurity is health systems' own employees, according to Lee Kim, senior principal, cybersecurity and privacy at Healthcare Information and Management Systems Society.
Insider threats include healthcare employees who abuse their access rights to steal patient data to commit identity theft and financial fraud, employees who act inappropriately, or those who accidentally put IT systems and data at risk without their knowledge.
This kind of threat, according to Ms. Kim is the biggest threat to healthcare cybersecurity.
"If we look at the statistics, it's by and large that people are generally the gateways to cybersecurity incidents," said Ms. Kim. "These insider threats are pretty significant and have heavy-hitting impacts to organizations."
According to HHS, organizations lose about $11.45 million annually due to insider threats.
Ms. Kim said health systems must ensure there's adequate governance for cybersecurity programs so that policies and procedures are put in place. She also said that employees need to easily understand them and why they exist.
"Staff absolutely needs to be trained on cybersecurity policies yearly, in addition to education about what it is and how you comply with HIPAA," said Ms. Kim. "Security awareness is something that should be done regularly. I'd say at least monthly, if not more frequently. Keep metrics in terms of who's falling prey to phishing emails, learn who your repeat offenders are, and re-educate your repeat offenders."