Last Thanksgiving became the latest stark reminder of the cybersecurity risks that hospitals and healthcare systems face in our modern age. Ardent Health, a network of over 30 hospitals across six states, was hit by a massive ransomware attack that temporarily crippled their systems and forced them to relocate emergency room patients to other hospitals in the area as well as reschedule non-emergent, elective procedures. In early December, two weeks after the attack, Ardent was able to bring its electronic medical record systems and some other core systems back online, and since then, it has continued trying to bring all remaining systems back online, such as its patient portal and online scheduling system.
But the time it is taking to gradually return to full operation is a vivid illustration of the medical, financial, and reputational harm that can occur as a result of cyber-attacks and why hospitals and healthcare organizations must take a good, hard look at the risks in order to make the best decisions they can to protect themselves and their patients.
Three Foundational Principles of Healthcare Cybersecurity
When discussing cybersecurity risks to the healthcare sector, three foundational principles should be considered: data confidentiality, data integrity, and data availability. Any work in cybersecurity necessarily involves one or more of those three properties.
Data confidentiality is, of course, keeping secret any information that needs to be kept secret. In a healthcare context, that would include the personal health information (PHI) of patients or any information in a patient’s medical record, including diagnoses, clinical data, and treatment protocols. The confidentiality of PHI is enforced by law and healthcare organizations are correct to be vigilant about this. Not all information that organizations like to keep secret necessarily needs to be, though, and sometimes doing so in itself can cause problems, something I’ll come back to a bit later.
Data integrity is ensuring that data is accurate, intact, and has not been tampered with. Again, in a healthcare setting, it’s obvious why the accuracy of any information pertaining to patients’ diagnoses or treatments would be critically important.
And, finally, data availability makes sure that information and services are accessible when they need to be. You don’t want any situations where healthcare staff need to access a patient’s clinical data, such as before a surgical procedure, but not have it available. Unfortunately, cyber-attacks can compromise one, two, or sometimes all three of these areas, making cybersecurity an issue that can potentially make or break an organization’s long-term success.
Institutional Barriers That Lead to Greater Risk
Despite how common ransomware incidents have become, numerous barriers still stand in the way of hospitals and healthcare systems taking adequate steps to protect themselves. The first and probably the biggest barrier has to do with the fact that the case for strengthening cybersecurity is often not an easy sell, at least not from the viewpoint of senior management who are tasked with balancing numerous, often competing priorities with limited resources. Moreover, hospitals and healthcare organizations, especially non-profit ones, generally work with tighter budgets for cybersecurity than, say, financial institutions that can afford to allocate more.
On top of this, cybersecurity is a cost center or a function that does not generate revenue but still costs the organization money. Of course, a good case can be made that cybersecurity indirectly boosts revenue by preventing or reducing losses resulting from disruptions such as the kind that happened to Ardent Health. But it takes a skilled CISO to convey this to the CEO, COO, CFO, and other C-suite level executives in a way that resonates with them.
Then there is also the fact that upgrading cybersecurity measures can present inconveniences to hospital staff due to stricter authentication processes such as more complex passwords, frequent password changes, and multifactor authentication. When you combine such inconveniences with the lack of a revenue-generating function, you can see why any CISO would be hard-pressed to get the decision-makers of a healthcare organization on board by putting more resources into beefing up cybersecurity. Unfortunately, it sometimes takes nothing less than an incident to occur to sway people’s minds.
Another barrier has to do with the overall culture of cybersecurity in the healthcare sector at large. To have a healthy cybersecurity ecosystem, healthcare organizations need to be forthcoming about sharing information about cyber-attacks when they occur. But despite the existence of Health-ISAC, participation is voluntary and many hospitals and health systems do not participate. The general tendency is still for healthcare organizations to be reticent about attacks they may have recently endured.
Part of this is due to not wanting word to get out that they’ve been hacked for reputational reasons. The other part is that healthcare organizations can be very territorial with their information and don’t like sharing it with those they may perceive as competitors. This is short-sighted since a more mature and healthier cybersecurity ecosystem where information is shared ultimately benefits everyone and, conversely, a less transparent ecosystem hurts everyone.
One Solution Does Not Fit All
Ideally, all healthcare organizations would do everything they could to protect themselves and their patients in an era of increasing threats. However, as discussed, there are some very real and practical barriers that get in the way. Even if an organization's decision-makers fully understand the cybersecurity risks, they may feel their organization simply does not have the resources to spare for robust security solutions. This is a legitimate concern and not something to be scoffed at.
Recognizing this, it’s impossible to prescribe a one-size-fits-all solution in which every organization must devote a certain number of resources and attain a certain standard of security. At the same time, the Ardent Health ransomware incident has been a vivid reminder of how potentially disastrous data breaches can be. It therefore behooves all organizations to at the very least take the matter very seriously and to perform thorough risk-cost-benefit analyses that assess the level of risk their organization faces, what level of risk they’re comfortable accepting, how much resources they’re able or willing to allocate to the problem, and the actual solutions that they will implement based on their needs and situation.
