In a new essay, medical and legal experts outline steps that hospitals can take to secure themselves against dangerous and damaging hacking attacks. They also say, however, that many strategies will be difficult to implement and that, ultimately, full security may be impossible to achieve.
Especially cruel hackers know that lives are on the line when they hold a hospital’s computer systems hostage, as they did in the May 12 attack dubbed WannaCry, which locked down many overseas hospitals with the demand for a ransom.
“Patients can suffer severe negative health effects if their treatment is delayed, discontinued, or performed incorrectly because hospital records are unavailable,” the authors write in the essay.
“There are things we can do to reduce the risk but it is very hard to perfect IT security, especially given the needs of modern hospital systems to have things moving between places and increasing demand for patient-facing access,” says I. Glenn Cohen, a professor of law at Harvard University and coauthor of the article. “To some extent, these attacks are inevitable.”
The authors cite research that counted nearly 2,000 hospital data breaches of varying kinds between 2009 and 2016. In that last year, a ransomware attack hit a hospital system in the Baltimore area, forcing workers to rely on paper records.
In their new paper, the authors list several steps—some simple and others more complex—that hospitals can take to prevent or at least mitigate attacks and to ensure that they are in compliance with the Health Insurance Portability and Accountability Act, which requires holders of health records to keep them secure.
Some of the more straightforward tactical recommendations include workforce training, retaining cybersecurity expertise, patching operating systems, and reporting attacks promptly to authorities. They also recommend more strategic, nationwide steps, even though those may be harder to accomplish.
Coauthor Eli Adashi, a professor of medical science and former dean of medicine and biological sciences at Brown University, notes that the US government’s response in the wake of WannaCry was fragmented among many agencies, although just the day before President Donald Trump had issued a sweeping executive order instructing federal agencies to embark on a number of actions to ensure greater cybersecurity. Building on that to develop a cohesive government response pertaining to health care infrastructure, he says, could provide all hospitals with common, well-informed guidelines.
“We need a coordinated national effort,” he says. “This will take time.”
Cohen says another key step could be for the Joint Commission, which accredits hospitals, to make cybersecurity requirements a high priority in renewing accreditation.
And hospitals should consider committing to a principle of “non-payment” of ransoms to hackers, the authors propose, akin to the US government policy of not paying ransoms to terrorists. Adashi says all of these steps, but especially that one, should be implemented only after considerable public discussion.
After all, with lives on the line, Cohen acknowledges, pressure could quickly build to abandon an abstract policy, especially if it didn’t have buy-in from patients.
“If I were a hospital CEO, it’s one thing to make this pledge ex ante, but it’s another thing when you have a population of patients who need health care to stick by it,” he says.