The cyberattack that hit British hospitals and hundreds of other organizations in more than 100 countries last week continues to unfold and has been called unprecedented in its scope.
For health care journalists, there are important questions to ask hospitals, other health care organizations – and even their own media organizations – about their level of preparedness and response plans for such an attack.
Coincidentally, leading cybersecurity experts were gathered in San Francisco for the HIMSS Privacy and Security Forum on May 12 as the crisis in London was developing.
The consensus from experts at the forum was that most health care organizations are underprepared for malware and other types of cyberattack, even as health data becomes a high-value target for cybercriminals.
M.K. Palmore, assistant special agent in charge of the San Francisco cyberbranch for the FBI, said that cybercriminals are smart, challenging to catch and tend to go for the easy targets.
“The path of least resistance is always the route they will go,” Palmore said in a keynote address, which includes health care organizations with inadequate cybersecurity.
The weakest link in cybersecurity at health systems is its personnel, who often are not trained to spot phishing and similar efforts to access systems data. These people often create weak account passwords that are not changed often enough. Compounding the problem is that systems often are still using older software and don’t stay current with security patches, noted Palmore and other speakers at the forum.
From what is known about the current global outbreak, it preyed on flaws in Microsoft Windows systems to spread the malware, dubbed WannaCry. The malware encrypted files and demanded payment to unlock them.
Many hospitals haven’t allocated sufficient resources to stay current in their cybersecurity even as ransomware attacks such as WannaCry become more sophisticated.
The Texas Hospital Association conducted a test of its member hospitals’ workforce capabilities to spot suspicious attempts to access patient and other internal data via phishing. The group found that training helped reduce click rates on suspicious email links and attachments by about 61 percent among participating hospitals.
Fernando Martinez, chief digital officer of the Texas Hospital Association, notes that 75 percent of Texas hospitals are small in size and do not have a “deep bench” in IT resources.
The IT department should not solely be responsible for a health system’s cybersecurity, said many experts, advising that a company’s risk management team should oversee cybersecurity in close cooperation with executive teams and governance boards.
Questions journalists should ask health systems and other health care organizations in their communities on this topic include:
- Who is in charge of cyber security, and to whom do they report? (Ideally, this should be a highly trained risk management team that reports to top executives.)
- Is employee training conducted to raise awareness of threats and appropriate response? (Kaiser Permanente, for instance, annually requires all employees to take a 10- to 15-minute online training on phishing awareness. It says this has reduced the click rate on malware from 34 percent to 9 percent across the organization.)
- Are cybersecurity priorities part of the organization’s strategic priorities? (Having one-off goals and programs can reduce effectiveness.)
- What is the policy, if any, on paying threat actors to recover data from ransomware attacks? (An estimated 40 percent to 60 percent of organizations do pay ransoms. Less than half of those that pay ransoms get their data back, according to the FBI’s Palmore.)
- Does the organization have data backups that would make them less vulnerable to a ransomware attack? (Restorable backups can quickly restore systems and avoid the need to pay a ransom.)
- Does the organization conduct cyberattack drills or tabletop exercises on a regular basis? (One example is a four-hour downtime procedure with no worker hands on keyboards and training to revert to paper records, said Anahi Santiago, chief information security officer at Christiana Care Health System in Delaware.)
- What is the organization doing to protect medical devices and other connected devices, which is a growing cyberthreat?
- Does the organization have relationships with local law enforcement to coordinate preparedness and response to a cyberattack? (The FBI and other law enforcement are seeking to strengthen connections to health systems before attacks to improve response time.)
- Are systems running Windows XP? Many organizations are reluctant to upgrade from Windows XP, but since Microsoft has not supported Windows XP since 2014 this puts them at a greater vulnerability of attack. Microsoft did issue a Windows XP patch for the flaw in March, but users are responsible for applying the patch.
Background
- Wall Street Journal: What we know about the global ransomware attack.
- American Hospital Association: Statement on the attack.
- New York Times: How to catch hackers? Old school sleuthing with a digital twist.
- HealthcareITnews: When it comes to ROI, teenage hackers are smarter than hospital executives.
- World Economic Forum: It published a white paper with 10 principals for cyber resilience in January 2017 that many large organizations, including Kaiser Permanente, are using as a framework. The document can guide reporters as they investigate the cyber resilience of organizations on their beats.
- AHCJ tip sheet: Tips for covering the hidden trade in patient data
- AHCJ tip sheet: What to know before diving into a health care cybersecurity story
