Of all the organizations that suffered from the WannaCry ransomware, the United Kingdom’s National Health Service was hit hardest. It was a wholly unpleasant wake-up call to both the healthcare organization and every patient it served. But for anyone with any foreknowledge of healthcare IT, it came as little surprise.
Even though healthcare organizations are subject to some of the strictest rules and regulations of any industry, healthcare IT is more often than not an absolute nightmare. IT infrastructure in hospitals is often a dangerous patchwork of both new and legacy systems, both of which are often unsecured and running outdated operating systems. And that's not even getting into staffing issues.
IT departments in hospitals are all too often understaffed and underbudgeted. The professionals who work in such departments are constantly made to do more with less, constantly wrestling with users that have little respect for password policies or cybersecurity best practices. This is only further exacerbated by the fact that in a hospital setting, the stakes are much, much higher.
If a bank or law firm is compromised, you’re looking at potentially millions of dollars on the line, true. A business could see itself destroyed by a hack against a financial institution; a person could experience financial ruin. A hospital that suffers a ransomware attack or data breach is looking at a potential loss of life−or at the very least, no shortage of life-changing injuries or conditions.
Because of the potential impact on patients, hospitals are a good target for ransomware. They also are a good target because employees are not trained in security awareness.
That needs to change.
First and foremost, IT departments must make the case to decision-makers for an expanded budget, more personnel, and better security policies. To justify these changes, they can point to not only the vast array of data breaches and security incidents that have struck other healthcare organizations but also the upcoming changes to HIPAA. These changes will likely be focused largely on enforcement - while it’s impossible to say what specifically they’ll modify, there is a very good chance they’ll require hospitals to take their security posture even more seriously than before.
Secondly, hospitals must start focusing on updating and digitizing their infrastructure. They must move away from legacy systems to HIPAA-compliant cloud platforms and systems. This must be done concurrently with expanded training programs that emphasize both accountability and responsibility to healthcare staff - as well as the importance of cybersecurity to patient outcomes.
These are not changes that will come easily. At the same time, they need to happen. Because until they do, hospitals will forever find their IT departments - and their patient data - in extremely poor health.