The Diagnosis: Cybersecurity in Healthcare Is Lacking

The U.S. healthcare infrastructure has experienced some of the worst cyberattacks on record, and in many cases the targets were ill-prepared to fend off the attack or to recover from it. Consider the following recent cyberattacks on healthcare facilities:

• A technician connected one of Beth Israel Deaconess Hospital’s X-Ray machines to the internet to download updated software. Notwithstanding the Hospital’s efforts to secure the machines, hackers broke into the connection to download more than 2,000 X-Rays from the machine to a server in China.
• Boston Children’s Hospitalwas hit with a distributed denial-of-service (DDoS) attack in 2014, presumably in protest against the hospital’s refusal to grant certain treatments to a patient. The attack affected several other hospitals, which needed emergency third-party assistance to deflect the attack.
• Hackers set up a fake website that they used to convince doctors at Mass General Hospital to give them confidential personal and payroll data.
• A Los Angeles area hospital paid hackers more than $17,000 to recover from a ransomware attack that froze the hospital’s system.

These are only the more egregious examples that highlight the poor state of cybersecurity in the country’s medical centers and hospitals.

Many observers cite two general causes for this problem: (1) the increasing number of internet-connected (“IoT”) medical devices, such as the Beth Israel X-Ray machine that hackers attacked and other diagnostic equipment that interfaces with electronic medical records; and (2) a dearth of skilled personnel who can improve hospital and medical center cybersecurity. Regarding this second cause, that skilled personnel is typically lured away to the technology industries, where salaries and opportunities for advancement are perceived to be higher.

Healthcare facilities have several options to address the first of these causes. Those facilities first need a good inventory of the total number of medical IoT devices that are connecting to the information systems networks. They might discover that many of those devices are running old software or legacy operating systems with known vulnerabilities. The facilities should update all software and systems and institute a program to install regular updates as manufacturers release them. If some IoT devices are subject to greater risks than others, a medical center should consider segmenting those devices in data silos that expose a smaller portion of the center’s total data infrastructure to hackers.

The solution to the second cause is obvious, but will likely take time and (unfortunately) more cyberattacks on medical centers before the healthcare industry places more importance on hospital cybersecurity. Health centers will need to offer competitive salaries to cybersecurity specialists and give them better options for professional growth within the healthcare system. Medical Device IoT manufacturers can also offer similar opportunities to attract and keep cybersecurity talent.

Until then, medical centers and hospitals will face stiff competition for that talent. Cybersecurity job postings have almost doubled over a seven-year period and certified cybersecurity professionals are now commanding six-figure salaries. The political climate continues to put pressure on healthcare systems to reduce costs, but the needs of cybersecurity will resist that pressure.

The problems of cybersecurity in healthcare are therefore not going away easily. Even as medical centers and hospitals ramp up their cybersecurity defenses, however, they will never completely eradicate the threats posed by hackers. Cybersecurity insurance can help a healthcare facility that has experienced a successful cyberattack to recover systems and to compensate for damages, while also providing compensation for third parties whose personal medical information was compromised by the cyberattack. The patient’s current diagnosis may not be the best, but the longer-term prognosis to counter and control the problem is promising.