What Cybersecurity Weaknesses Can Put Hospitals (and Patients) at Risk?

With large-scale data breaches seeming to happen with increasing regularity, businesses are growing more concerned about the release of confidential customer information. With files containing everything from Social Security numbers to payment sources, many hospitals are targeted by hackers due to their comprehensive patient files.

However, it’s not just private patient health information that could be vulnerable. Most modern hospitals operate multiple pieces of sensitive electronic equipment that rely on wireless signals, from ventilators to IVs to dialysis equipment. A cyber attack could disrupt these machines’ function and cause instant harm to patients depending upon them.

Read on to learn more about some of the common cybersecurity weaknesses present in many hospitals, as well as how you and your staff can best protect against both deliberate and inadvertent data breaches.

Weakness #1: Employees

Although your employees are likely your greatest asset, they can also be your weakest link when it comes to protecting against cyber attacks – in fact, whether accidental or malicious, employees are still the #1 cause of a cyber breach, and the trend shows no sign of changing. U.S. companies spend billions of dollars each year on training programs to help employees better identify phishing emails and other online scams, but some experts indicate this training is of limited use.

One cyber expert found that nearly one-third, or 32 percent, of a major bank’s employees clicked on a potentially harmful phishing link just a few weeks after undergoing a cyber training class; meanwhile, only 35 percent of employees who hadn’t taken a class clicked on the same link.

This indicates that many companies need to step up their training efforts and help their staff members understand the serious real-world consequences of a phishing hack. In the hospital world, this can mean emphasizing the physical (rather than legal or financial) consequences of a data breach.

For example, a data breach that takes out your hospital’s central computer system could leave doctors and nurses helpless to accurately administer medication to patients; without information on a physical chart, your medical staff may be unable to discern when the last dose was taken or even what medications have been prescribed.

Similarly, a targeted breach that allows an outside hacker to take control of your hospital’s central computer system could empower the hacker to turn off (or turn up) equipment remotely, potentially “pulling the plug” on terminally ill patients or causing others to suffer serious, potentially fatal complications.

By ensuring your employees are well aware of the potential harm that can come from something as minor as clicking on a phishing link, you’ll be in a better position to protect your hospital against the wide variety of cybercrimes that may be attempted.

Weakness #2: Inadequate Security Funding

Before the advent of the internet, confidential patient health information (PHI) was kept in physical files, often secured under lock and key. But while most hospitals and medical facilities quickly transitioned to electronic records and wireless equipment during the late 1990s and early 2000s, they didn’t do much to upgrade their record security in the process.

Even the advent of the Health Insurance Portability and Accountability Act (HIPAA), carrying with it serious legal consequences for those who purposely or negligently leak confidential health data, wasn’t always enough to encourage hospitals to strengthen their electronic or online security protocol.

The health care industry as a whole devotes a scant 6 percent of its IT budget to cybersecurity measures. This is in direct contrast with other highly regulated industries, like the federal government and the financial sector, both of which devote about 12 percent of their IT budgets to cybersecurity.

Not only do hospitals tend to devote less of their IT budgets to cybersecurity, but healthcare IT jobs tend to pay less than cybersecurity jobs that focus on other industries. In fact, the average pay for healthcare cybersecurity jobs is around 25 percent lower than other cybersecurity positions.

Without a budgetary commitment to cybersecurity and a willingness to pay market rates to attract top talent, hospitals may continue to suffer expensive and potentially dangerous data breaches. With the average health care–related data breach costing at least $350 per stolen patient record, the cost of sloppy cybersecurity can quickly add up.

Weakness #3: Hubris

Many cybersecurity experts point to IT professionals as an example of hubris; because those in the IT world may assume they know more than the average citizen when it comes to averting a cyber attack, they can let their defenses down and actually make themselves more vulnerable. Like the specialties in health care, cybersecurity is a specialty in technology – a general practitioner is not the same as an expert who focuses on a specific area.

Healthcare professionals aren’t always much different. While few doctors or nurses may fashion themselves as cybersecurity experts, these professionals can be highly educated and may assume they’re too smart or cynical to fall for an obvious scam email or virus-riddled website.

However, today’s hackers are incredibly advanced, and even people with some knowledge on common scams may find themselves falling victim at one point or another.

By enlisting the help of a cybersecurity firm to evaluate your own hospital’s security structure and weak points, you’ll be far better equipped to train your staff to rebuff hacking efforts. Doing so can protect not only the confidential health and financial data of your patients but their access to care as well.