What Can Hospitals Do To Protect Themselves from Cyber Attack?

November 19, 2020

While everyone’s eyes we on the possibility of cyberattacks against government systems during the US presidential election, hospitals in America were, in fact, actually being attacked. The FBI reported on October 27th that more than 500 hospitals in the United States had been targeted by cyber attackers. While the timing, during the American presidential elections, raises questions about the motives of the attackers, hospitals are always vulnerable, as are all critical urban infrastructure operations in the United States.  In Europe, a patient has already died because they couldn’t get access to specialized services at an appropriate hospital during a cyber-attack.

It is not yet known how many hospitals agreed to pay the ransom demanded by the attackers to regain control of their computer systems.  When the National Health Service in the United Kingdom was attacked several years ago, doctors performing surgery instantly lost access to critical information like the blood type of their patients and the status of blood supplies in the hospital. The attack triggered a complete rethinking of cybersecurity practices. There is no question that cyber-attacks can put lives at risk, although no deaths were reported as a result of the most recent attacks.

Cyber-attacks on health care providers are extremely consequential and scary.  There is, unfortunately, no advanced technological solution that can fend them off. There are, however, a number of defensive social engineering moves that every hospital can take immediately to reduce the chances of a successful attack.  First, they can identify their most important computer systems and data sets, and make sure they have readily accessible back-ups that can be called into play immediately if that becomes necessary.

Second, their IT staff can segment their existing systems so that successful attackers cannot gain entry to their whole system all at once. (This might mean giving up some of the coordination advantages of having fully integrated systems.)

Third, they can contact their suppliers, partners and others -- who interact regularly with the hospital’s online systems -- to make sure their partners have taken appropriate steps to educate their own staff about basic cyber hygiene and are working to protect their own systems. One weak link in an open network can compromise all the organizations involved.  At the same time, they can block all access to the hospital’s networks from blacklisted sites supplied by the FBI and Homeland Security. 

Fourth, they can make absolutely sure that all security patches supplied by software providers are deployed as soon as they arrive. Finally, they can communicate regularly with their own staff to reinforce the key points they underscore for all new employees --- don’t open phishing attachments from unknown sources, don’t give out your password or any other security information to anyone, use two-factor authentication, and learn what the organization’s emergency action or hazard response plan requires you to do if you are attacked.

Identifying essential systems and data for backups, segmenting existing systems and networks, taking preventative measures with external vendors, and teaching basic cybersecurity protocols to new employees are not expensive pre-attack actions that hospitals can take.  And, while they won’t supply an infallible shield against cyber- attack, they will reduce the most likely vulnerabilities and lower the overall risk of being attacked.