While cybersecurity isn't a new issue for healthcare organizations, it remains among the top areas of concern for CIOs in 2020.
Cyberattacks in the form of ransomware, malware, phishing emails and other nefarious hacks can result in patient record exposure, locked patient information, EHR downtime and delay in patient care. Since 2016, there have been 172 individual ransomware attacks on healthcare organizations affecting 1,446 hospitals, clinics and other organizations, according to a Comparitech report. The report also noted 6.6 million patients have been affected by these attacks and hackers have demanded $16.48 million over the past four years.
The additional expenses associated with ransomware attacks total around $157 million since 2016, a hefty price tag. In December, Hackensack (N.J.) Meridian health paid an undisclosed sum to stop a ransomware attack that caused a two-day shutdown of its computer system. DCH Health System, a three-hospital system based in Tuscaloosa, Ala., paid hackers to restore access to its record system as well last October after diverting patients away from its facilities.
In February, 500 offices affiliated with Boston Children's reported their computer systems were shut down in a malware attack. In South Carolina, patients filed a class-action lawsuit against Georgetown-based Tidelands Health after the system experienced a malware attack and clinicians turned to paper records while the IT network was temporarily offline. The suit claims the health system violated HIPAA, failed to report the incident to HHS and that at least one patient was given food items she was allergic to because her medical records were inaccessible.
The list could go on and on.
"Cyber activity will continue to be a challenge for many years into the future," said Tom Andriola, vice president and CIO of the University of California System in Oakland. "I think one of our biggest shifts is to include an element of proactivity into our approach, such as threat intelligence, and understanding would-be attackers as well as continuing to strengthen our defenses to protect, detect and respond."
CIOs and chief information security officers are charged with strengthening the organization's defenses against cyberattacks and implementing the right technologies and upgrades. While some organizations are investing heavily in new technology, others see a different weakness that they will address this year.
"We recognize that the mix of technologies in our environment today is rapidly changing and adding complexity to how we protect ourselves against cyberattacks," said Phyllis Teater, CIO of the Ohio State University Wexner Medical Center in Columbus. "With the introduction of IoT, cloud computing and more sophisticated clinical devices, we are definitely on guard in more areas than ever before. However, our focus remains on educating the end user."
Email phishing attacks are a top concern for health systems, and despite the best efforts to warn employees, the hackers continue to find success. Last March, Wise Health System in Decatur, Texas, notified nearly 67,000 patients that their protected information may have been exposed when multiple employees fell victim to a phishing attack. Hackers asked employees to disclose their credentials, and then attempted to reroute payroll direct deposits. The health system notified patients whose information was stored within those employees' emails.
In January, Springfield, Ill.-based Hospital Sisters Health System notified 16,147 patients that employees were a victim of phishing attacks and patient data may have been exposed.
"[The end user] remains the primary way in which cybercriminals gain access to our network and information resources," said Ms. Teater. "This is such a dynamic and difficult to manage space that we must engage our users by providing advice and education to them on behaviors that will help keep us safe. In a world of 300 emails and texts in one day, it is a challenging endeavor to provide the right amount of information in the right way for it to be consumed by our community."
Like many organizations, OSUWC uses testing and tabletop exercises to simulate attacks and identify opportunities for improvement. The leaders of Wayne HealthCare in Greenville, Ohio, also saw the need for improved education and enlisted a full-time partner to better protect the organization and make sure it will be able to recover from an attack, if one occurs.
"Cybersecurity has always been at the forefront of everything we do with technology," said Vice President of Information Systems, CIO and Corporate Compliance Officer at Wayne HealthCare Shelton Monger. "We have transformed the mindset of our users to healthy skepticism of unusual email and the need to click or open attachments."
Jeffrey Sturman, senior vice president and CIO of Hollywood, Fla.-based Memorial Healthcare System, said the system created video campaigns on cybersecurity topics such as phishing and "what is PHI?" "We have established a senior executive cybersecurity task force that meets regularly to discuss topics and determine the proactive measures we need to put in place," he said.
On the technology side, Bruce Metz, PhD, executive vice president and CIO of the Accreditation Council for Graduate Medical Education, said in 2020 the organization will move away from passwords to biometric-based technology for more secure and convenient access, coupled with using conditional access tools to apply the right security controls to the right users and device as the organization moves to a cloud-based model.
In Sterling, Ill., CIO of CGH Medical Center is also taking a new technology approach to combat cyberattacks: network segmentation. "[It's] a nightmare to implement, but it's new table stakes in our effort to minimize damage from these attacks," he said.