[BreachExchange] For hospitals, full cybersecurity may be impossible

[Destry Winant]

http://www.futurity.org/hospitals-cybersecurity-ransomware-1547402/

In a new essay, medical and legal experts outline steps that hospitals
can take to secure themselves against dangerous and damaging hacking
attacks. They also say, however, that many strategies will be
difficult to implement and that, ultimately, full security may be
impossible to achieve.

Especially cruel hackers know that lives are on the line when they
hold a hospital’s computer systems hostage, as they did in the May 12
attack dubbed WannaCry, which locked down many overseas hospitals with
the demand for a ransom.

“Patients can suffer severe negative health effects if their treatment
is delayed, discontinued, or performed incorrectly because hospital
records are unavailable,” the authors write in the essay.

“There are things we can do to reduce the risk but it is very hard to
perfect IT security, especially given the needs of modern hospital
systems to have things moving between places and increasing demand for
patient-facing access,” says I. Glenn Cohen, a professor of law at
Harvard University and coauthor of the article. “To some extent, these
attacks are inevitable.”

The authors cite research that counted nearly 2,000 hospital data
breaches of varying kinds between 2009 and 2016. In that last year, a
ransomware attack hit a hospital system in the Baltimore area, forcing
workers to rely on paper records.

In their new paper, the authors list several steps—some simple and
others more complex—that hospitals can take to prevent or at least
mitigate attacks and to ensure that they are in compliance with the
Health Insurance Portability and Accountability Act, which requires
holders of health records to keep them secure.

Some of the more straightforward tactical recommendations include
workforce training, retaining cybersecurity expertise, patching
operating systems, and reporting attacks promptly to authorities. They
also recommend more strategic, nationwide steps, even though those may
be harder to accomplish.

Coauthor Eli Adashi, a professor of medical science and former dean of
medicine and biological sciences at Brown University, notes that the
US government’s response in the wake of WannaCry was fragmented among
many agencies, although just the day before President Donald Trump had
issued a sweeping executive order instructing federal agencies to
embark on a number of actions to ensure greater cybersecurity.
Building on that to develop a cohesive government response pertaining
to health care infrastructure, he says, could provide all hospitals
with common, well-informed guidelines.

“We need a coordinated national effort,” he says. “This will take time.”

Cohen says another key step could be for the Joint Commission, which
accredits hospitals, to make cybersecurity requirements a high
priority in renewing accreditation.

And hospitals should consider committing to a principle of
“non-payment” of ransoms to hackers, the authors propose, akin to the
US government policy of not paying ransoms to terrorists. Adashi says
all of these steps, but especially that one, should be implemented
only after considerable public discussion.

After all, with lives on the line, Cohen acknowledges, pressure could
quickly build to abandon an abstract policy, especially if it didn’t
have buy-in from patients.

“If I were a hospital CEO, it’s one thing to make this pledge ex ante,
but it’s another thing when you have a population of patients who need
health care to stick by it,” he says.