The recent rash of cybercrimes that either directly targeted or impacted healthcare institutions, including May’s WannaCry ransomware attack, demonstrates that many in the medical community don’t have strong enough electronic security.
“Sometimes the small practice physicians think they won’t be targeted because they have less information, but what we’re learning is that everyone is vulnerable because health data is very valuable,” said Deven McGraw, deputy director for Health Information Privacy for the Office for Civil Rights at the U.S. Department of Health and Human Services (HHS).
Consider a statistic from the nonprofit HITRUST Alliance, a collaboration of public and private healthcare technology, privacy and information security leaders. It found that 40% of doctor offices and medical practices working with HITRUST on cybersecurity had active malware or spyware after an assessment.
HITRUST CEO Daniel Nutkis said many physician offices aren’t following even the basic security measures to prevent attacks like WannaCry. They lack up-to-date hardware and software, they fail to download security patches and they skimp on endpoint and network security technologies.
“When you have deficiencies in all these areas, you’re set up for failure,” said Will Long, CISSP, CPHIMS, vice president and chief information security officer for information systems at Children’s Health, a pediatric healthcare system in North Texas that includes Children’s Medical Center Dallas and Children’s Medical Center Plano..
Long said he sees many physician groups affiliated with his medical institution struggle in those areas because they’re, understandably, focused first on patient care and don’t have a dedicated staff member to handle IT, let alone cybersecurity.