Managing Hackers and the Ongoing Healthcare Cybersecurity Crisis

July 20, 2017
By Josh Baxt, BioSpace.com Breaking News Staff

They have whimsical names like Petya and WannaCry, but recent ransomware attacks are far from trivial. These and other threats lock up patient information, drain hospital resources and undermine confidence in our healthcare infrastructure.

Now that hackers have had some success, it seems hospitals are becoming prime targets for continued cyberaggression. While these systems have been threatened for decades, this new generation of malware is upping the ante. When will it end? Probably never.

That means hospitals, device makers, life science companies and government agencies must work together to raise cybersecurity standards and support compliance. The movement has already started. The Food and Drug Administration (FDA), National Health Information Sharing and Analysis Center, Medical Device Innovation, Safety and Security Consortium and others are working to secure these systems.

Hackers have turned their collective attention on hospitals because they are vulnerable—the free market at work. The best way to get them to look elsewhere is to make those systems more difficult to hack.

That’s going to be a challenging job, as there are layers of vulnerability. As usual, people are the biggest chink in the armor. For many of these attacks, the tip of the spear is a phishing email, and they’re becoming increasingly sophisticated. Even people who know better have been tempted to click on a questionable link.

Then there are the ubiquitous connected devices that populate all hospitals. Because healthcare margins are so lean, many facilities hold on to their devices as long as they can while still maintaining patient safety. But old devices can be a security risk and difficult to patch. In addition, device manufacturers have often prioritized features over security. Last year, the FDA issued post-market guidance for security, and that has helped focus device makers on the problem.

Not surprisingly, one of the primary issues facing hospital security teams is budget. There’s a lot they can do, but not a lot of money to actually do it. Healthcare execs are faced with a chronic choice: invest in cybersecurity—which is mostly invisible to patients—or purchase a new CT with X more slices than the machine across town.

Nonprofit hospitals, which rely on philanthropy, face additional complications. Donors don’t generally put their names on new parking structures (though they do grouse about parking) and computer systems have a similar, unsexy profile.

At this point, we know what to do to safeguard systems: educate staff, develop less risky new devices and patch older ones; build secure networks that provide “herd immunity” for vulnerable systems. We just need to find the resources and will to do it. Hackers will continue to press hospitals as long as they see an opening. And even after those vulnerabilities are closed, they will continue to probe for new ones.

Our moral guidance comes from Robert Goodloe Harper, the Federalist politician. In 1798, when the French foreign minister threatened to attack the U.S. if we didn’t pay him off, Harper famously said: “Millions for defense but not one cent for tribute.”

Josh Baxt has been a science and healthcare writer for more than 18 years, working at Scripps Health and the Sanford-Burnham Medical Research Institute before going freelance in 2011. He writes about molecular biology, genomics, pharmaceuticals, emerging medical technologies, regulation and public policy. He is based in San Diego.