Cybersecurity is a growing concern for hospital leaders, according to the American Society for Health Care Engineering’s 2018 Hospital Security Survey, conducted in collaboration with the International Association for Healthcare Security & Safety. But before hospitals dive into tactics to protect their systems, they should carefully evaluate the specific risks they face.
“Before you implement any technical and tactical measures, step back and understand what your strategic cyberrisk profile is,” says John Riggi, senior adviser for cybersecurity and risk for the American Hospital Association (AHA) whose profile and cybersecurity advisory services can be found at www.aha.org. “One of the first questions CEOs and other leaders should ask is, ‘What are the organization’s most mission-critical systems in terms of patient safety and care delivery, and how vulnerable are they to cyberattack?’”
To help determine its cyberrisks, the hospital should consider what types of data it holds, what network connections link the hospital’s systems to the outside world, and who might be interested in attacking the hospital’s systems, Riggi says.
For example, if a hospital sometimes cares for military personnel, it may be targeted for cyberattack by a hostile foreign country interested in gathering data on those individuals for intelligence purposes. And if the hospital has external network connections, the intruder may exploit these connections to gain access even if the hospital’s own cyber defenses are strong.
Riggi says some hospitals overlook the importance of the research data and intellectual property they hold. That information is highly valuable to foreign powers seeking to steal medical and scientific innovations, he says, and should be protected as thoroughly as patient data.
“Often, hospitals are so focused on protecting patient information, they neglect to protect medical research, innovations, personally identifiable information and financial information that they hold as well,” Riggi says. “Once a hospital begins considering these issues, they start to understand their risk profile from the adversary’s perspective.”
Only once a hospital has a handle on its cyberrisk profile can it start considering defensive tactics commensurate with the intentions and capabilities of its cyber adversaries, Riggi says, adding that the AHA has developed a 12-point checklist that helps hospital leaders get a handle on their cyberrisk situation.
“You have to understand what you have to defend against before you implement tactical defensive measures,” he says. “And you need to understand that it’s not a matter of if an intrusion will occur, but when.”