Why is Hospital IT Security in Such Poor Health and What Can We Do About It?
Of all the organizations that suffered from the WannaCry ransomware, the United Kingdom’s National Health Service was hit hardest. It was a wholly unpleasant wake-up call to both the healthcare organization and every patient it served. But for anyone with any foreknowledge of healthcare IT, it came as little surprise.
Even though healthcare organizations are subject to some of the strictest rules and regulations of any industry, healthcare IT is more often than not an absolute nightmare. IT infrastructure in hospitals is often a dangerous patchwork of both new and legacy systems, both of which are often unsecured and running outdated operating systems. And that's not even getting into staffing issues.
IT departments in hospitals are all too often understaffed and underbudgeted. The professionals who work in such departments are constantly made to do more with less, constantly wrestling with users that have little respect for password policies or cybersecurity best practices. This is only further exacerbated by the fact that in a hospital setting, the stakes are much, much higher.
If a bank or law firm is compromised, you’re looking at potentially millions of dollars on the line, true. A business could see itself destroyed by a hack against a financial institution; a person could experience financial ruin. A hospital that suffers a ransomware attack or data breach is looking at a potential loss of life−or at the very least, no shortage of life-changing injuries or conditions.
Because of the potential impact on patients, hospitals are a good target for ransomware. They also are a good target because employees are not trained in security awareness.
That needs to change.
First and foremost, IT departments must make the case to decision-makers for an expanded budget, more personnel, and better security policies. To justify these changes, they can point to not only the vast array of data breaches and security incidents that have struck other healthcare organizations but also the upcoming changes to HIPAA. These changes will likely be focused largely on enforcement - while it’s impossible to say what specifically they’ll modify, there is a very good chance they’ll require hospitals to take their security posture even more seriously than before.
Secondly, hospitals must start focusing on updating and digitizing their infrastructure. They must move away from legacy systems to HIPAA-compliant cloud platforms and systems. This must be done concurrently with expanded training programs that emphasize both accountability and responsibility to healthcare staff - as well as the importance of cybersecurity to patient outcomes.
These are not changes that will come easily. At the same time, they need to happen. Because until they do, hospitals will forever find their IT departments - and their patient data - in extremely poor health.
Recommended For You
Many companies, as well as 44% of the top SaaS providers, don’t have a fallback DNS option. A single outage could completely take their businesses offline.
Businesses can make their organizations more secure while increasing employee productivity with fast, global wireless connectivity.
A basic, layered approach to DNS security can dramatically reduce the chances of DNS and BGP-related compromise. Here are three essential, preventative measures that organizations should implement.
The IIoT is here. Now it's time to make sure that security issues won't derail its value.
A security team with a broader view of issues can provide better plans and solutions to problems and the ability to react effectively and quickly in a security emergency.
By teaming up to address key technical and organizational issues, information and operational security teams can improve the resiliency and safety of their infrastructure systems.