How to Protect Your Hospital — And Your Patients — From Cyberattacks

In a hospital, the stakes are always high. With lives on the line, clinicians work tirelessly to protect patient health. But what happens when a cyberattack disrupts mission-critical operations? Patient care is delayed. Digital operations are halted. Data access gets restricted. The risk of avoidable, adverse events increases.

Cyberattacks against hospitals are evolving. The U.S. Department of Health and Human Services (HHS) reported a 264% increase in ransomware attacks against healthcare organizations within the past five years. And the hackers behind them are no longer motivated by profit alone. Organized criminal gangs and military units are targeting critical sectors, and unlike amateur hackers, they’re out not just to gain monetary reward but also to instill fear and disrupt core business operations.

This poses grave implications for hospitals, providers administering care, and patients receiving treatment. Successful cyberattacks can bring health systems to their knees. Downed systems, inaccessible patient data, and disruptions to operations incidentally increase patient risk. In one case, a hospital asked its staff to donate O-type blood after a cyberattack created a supply disruption and paralyzed a hospital's blood-testing operations. And when sensitive patient data is compromised, patients can experience physiological distress from the risk of ePHI access and identity theft. Healthcare organizations face reputational damage, loss of trust, and steep fines.

While ransomware attacks are the most high-profile, hospitals face attacks of all kinds. According to the Department of Health and Human Services, some of the top vectors include social engineering, phishing, and DDoS. The attacks aren’t slowing, and they’re only getting more sophisticated, and therefore more effective. Hospitals must update their cyber defense mechanisms to counter the elevated threat level and secure their systems. Today, better cybersecurity isn’t optional; it’s more essential than ever. 

In healthcare, an ounce of prevention is worth a pound of cure

The best way for hospitals to minimize the impact of cyberattacks is to reduce the risk of them happening in the first place. Some strategies cybersecurity teams should be employing:

• Do tabletop exercises to proactively respond to real-world scenarios: Penetration tests help detect vulnerabilities, but be sure your security teams are conducting tabletop exercises, which involve roleplaying and simulating real-world threats in your environments. 
• Conduct audits and assessments to ensure adequate resourcing: Assess how effective your technology and controls are against threats and determine what further steps you need to harden your security. Audits and assessments also determine if you have the right people and resources to maintain the minimum required level of operations, even during an attack.
• Educate the healthcare workforce: Teams at all levels of the organization need to be aware of the impact of cyberattacks on the business and, most critically, the patient. Do they know how to detect suspicious activity and avoid becoming a victim of phishing? Or how to maintain care continuity when a ransomware attack occurs? Do they know how to protect the patient when normal operations are disrupted? Education on how to maintain mission-critical operations during a successful attack prepares all teams to successfully execute downtime procedures with patient safety in mind.
• Manage risk as an enterprise: With disruptions to operations, financial losses, regulatory fines, and reputational damage, hospitals cannot afford to view cyber risk in isolation. To effectively mitigate risk, we must truly understand the larger risk landscape, organizationally. 

Minimizing the fallout, when disaster does strike

Of course, not all threat vectors can be eliminated. A cyber resiliency model protects the patient and minimizes disruption to the business when cyberattacks are successful.  

• Truly know your threat landscape: Healthcare organizations should have foundational visibility and monitoring, and establish baselines to detect deviations quickly. (New York Presbyterian, for instance, built a platform that alerted privacy officers if patient records were accessed improperly.) Identify any security gaps and necessary investments to process, technology, and cyber strategy to minimize the attack surface. Risk mitigation plans should expand past security teams to include resources across mission-critical applications and services. Security controls and investments should align with the organization's broader enterprise risk management strategy.
• Embrace information sharing: After an attack, organizations should conduct a thorough post-mortem and use the results to improve strategies and share new entry points with the healthcare community. Rapid knowledge sharing is the first critical step to preventing a widespread cyberattack. Law enforcement and government agencies, such as CISA, have developed and implemented information sharing programs to share essential information rapidly. 

Healthcare organizations have a formidable task before them. Where patients and lives are concerned, the stakes will always be high. But better cyber defense is not impossible. By increasing preparedness (through tabletop exercises, cyber risk management, information sharing, and more), they can reduce the likelihood and impact of successful cyberattacks. And they can better fulfill their mission to protect patient health.  

To get the latest industry insights on all things healthcare and cybersecurity, subscribe to the Perspectives newsletter.