Top 5 cybersecurity actions hospitals must adopt

July 28, 2022
A holistic security strategy can prevent both physical and cyberattacks

The 2021 cyberattack on Boston Children’s Hospital was a high-profile event, but it was far from unique. The healthcare sector is increasingly at risk of cyberattacks, especially from state-sponsored hacking operations in Russia, North Korea, and Iran.

The FBI identified the latter country as the perpetrators of the attack on Boston Children’s, and due to prompt action, the attack was foiled. However, the data shows a growing threat, and most healthcare systems haven’t been so lucky. According to a report from cybersecurity company Critical Insights, in 2021 data breaches exposed the protected health information (PHI) of some 45 million people in a total number of 679 attacks.

When it comes to cyberattacks, the healthcare sector isn’t being singled out. The financial and manufacturing industries have seen more than their fair share of ransomware and other malicious hacks. What makes hospitals so much more vulnerable, however, are a few reasons:

●      Soft targets. Healthcare has lagged behind other sectors in its security awareness profile. Hospitals may be using legacy hardware and software that hasn’t been updated, making it vulnerable to hacking exploits.

●       Health data. Hospitals are rich in health and personal identification data. The data can be used to compromise individuals or in other extortion schemes and can be resold on the dark web. Data goes beyond health histories – it includes credit cards and social security numbers.

●       Incentive to pay the ransom. Hackers holding hospital data for ransom can put patients in life-threatening situations. Without access to medical health records, doctors and nurses may have to cancel surgeries or other necessary healthcare.

There are ways for hospital systems to safeguard their networks, their patients, and their staff from cyberattacks. Even the smallest of healthcare providers have access to resources that can help prevent malicious hacking attempts.

The first step is to identify a hospital’s vulnerabilities and act. For instance, clinical and administrative staff may not have had the proper training to identify an e-mail that includes malware. In one case that I know of, the hospital’s Chief Information Security Officer fell victim to a phishing e-mail.

Other vulnerabilities include confidential information left out in the open on someone’s desk, or passwords on a sticky note under a keyboard. While it may seem like a jump from the physical world to a cyberattack, the fact is, that physical security is an essential part of preventing a network attack. This sort of infiltration is called social engineering when criminals gain access to data by physical means, and it can be one of the hardest breaches to prevent.

Finally, hardware and software are especially vulnerable, and not just legacy systems. Hospitals may not have records of all the different computer systems they have installed. A great many medical devices can be accessed via the Internet, which means they may be a means of entry by a malicious attack.

So, what can be done to prevent a hospital from becoming the next victim of a cyberattack? These five activities are necessary steps in establishing a security operation.

Digital Assets Management

The hospital IT security team should conduct an inventory of all computer hardware and software on the network and identify their vulnerabilities. Legacy systems should be patched with the latest security update or taken offline. As the healthcare industry has embraced the Internet of Things, many individual medical devices are connected to and send data to the cloud. This is convenient and allows for effective healthcare, but these devices are another point of entry for a malicious attack. The IT security department should manage records of each of these devices as well as all digital assets such as electronic health records.

Invest in Security

Security may be expensive, but a data breach is even more so. Hospitals need to make security a part of their budget and allocate resources toward tools, training, and security operations. Advanced threat protection, email filtering, cloud security, and training will fortify hospitals against attacks. It’s important to remember that security isn’t just a one-time activity. Hospitals have to create a security mindset among staff and executives and constantly stay ahead of new threats.

Contact CISA

The federal government’s Cybersecurity & Infrastructure Security Agency has a vast array of resources for hospitals to help with building a security program. CISA provides regional advisors who can lead hospitals through tabletop exercises and training, as well as provide advice to improve their security profile. CISA also helps hospitals safeguard against physical security breaches, such as active shooter situations. Its resources include bulletins and other information. Hospitals that work with CISA are overall better informed about their risk and have a better chance of protecting themselves against an attack.

Training and Exercises

Hospitals must commit to training all staff, from doctors and nurses to administrative staff, to executives and even boards on security best practices. Most cyberattacks are successful because someone inadvertently responded to a phishing e-mail. It’s vital to train everyone on how to identify a phishing e-mail, who to contact if they aren’t sure about an e-mail, or what to do if they clicked on a link. It’s important not to punish staff who make a mistake. Instead, the focus should be on proper training so users can make the right choices.

Training also includes clean desk policies, which ensure the safety of confidential data and passwords. Training should never be a one-time event. Hospitals should conduct tabletop exercises, which are used by security professionals in all industries, at least twice a year, if not quarterly. These exercises identify vulnerabilities and solutions. They can be updated as new threats come on board.

Exchange Information

No hospital needs to go it alone when it comes to security. Hospital CISO executives should regularly meet and communicate with their counterparts at other hospital systems. They should also with local, state, and federal law enforcement. As with CISA, working together with other organizations can help strengthen defenses.


Hospitals have a moral, financial, and ethical interest to safeguard their patient’s data and keep their hospitals safe for their staff and their community. A holistic security strategy can prevent both physical and cyberattacks, ensuring that patients are protected, clinical and administrative staff are safe, and hospitals can get on with doing what they do best – provide medical care to the people in their care.

About the author:Dr. Brian Gantis an Assistant Professor of Cybersecurity at Maryville University, with over 18 years of Corporate and Federal Government experience in analytics, threat intelligence, critical infrastructures and executive protection.