{"id":11954,"date":"2018-04-25T07:28:04","date_gmt":"2018-04-25T07:28:04","guid":{"rendered":"http:\/\/www.lifeandnews.com\/articles\/?p=11954"},"modified":"2018-04-27T07:30:31","modified_gmt":"2018-04-27T07:30:31","slug":"defending-hospitals-against-life-threatening-cyberattacks","status":"publish","type":"post","link":"https:\/\/www.lifeandnews.com\/articles\/defending-hospitals-against-life-threatening-cyberattacks\/","title":{"rendered":"Defending hospitals against life-threatening cyberattacks"},"content":{"rendered":"

Mohammad S. Jalali<\/a>, MIT Sloan School of Management<\/a><\/em><\/span><\/p>\n

Like any large company, a modern hospital has hundreds \u2013 even thousands \u2013 of workers using countless computers, smartphones and other electronic devices that are vulnerable<\/a> to security breaches, data thefts and ransomware attacks. But hospitals are unlike other companies in two important ways. They keep medical records, which are among the most sensitive data about people<\/a>. And many hospital electronics help keep patients alive, monitoring vital signs, administering medications, and even breathing and pumping blood for those in the most dire conditions.<\/p>\n

A 2013 data breach at the University of Washington Medicine<\/a> medical group compromised about 90,000 patients\u2019 records<\/a> and resulted in a US$750,000 fine from federal regulators. In 2015, the UCLA Health system<\/a>, which includes a number of hospitals, revealed that attackers accessed a part of its network that handled information for 4.5 million patients<\/a>. Cyberattacks can interrupt medical devices<\/a>, close emergency rooms and cancel surgeries. The WannaCry attack<\/a>, for instance, disrupted a third of the UK\u2019s National Health Service organizations<\/a>, resulting in canceled appointments and operations. These sorts of problems are a growing threat<\/a> in the health care industry.<\/p>\n

Protecting hospitals\u2019 computer networks is crucial to preserving patient privacy \u2013 and even life itself. Yet recent research<\/a> shows that the health care industry lags behind other industries in securing its data. <\/p>\n

I\u2019m a systems scientist at MIT Sloan School of Management, interested in understanding complex socio-technical systems such as cybersecurity in health care. A former student, Jessica Kaiser<\/a>, and I interviewed hospital officials in charge of cybersecurity<\/a> and industry experts, to identify how hospitals manage cybersecurity issues. We found that despite widespread concern about lack of funding for cybersecurity, two surprising factors more directly determine whether a hospital is well protected against a cyberattack: the number and varied range of electronic devices in use and how employees\u2019 roles line up with cybersecurity efforts.<\/p>\n

A wide range of devices<\/h2>\n

A major challenge in hospitals\u2019 cybersecurity is the enormous number of devices with access to a facility\u2019s network<\/a>. As with many businesses, these include mobile phones, tablets, desktop computers and servers. But they also have large numbers of patients and visitors who come with their own devices, too \u2013 including networked medical devices to monitor their health and communicate with medical staff. Each of these items is a potential on-ramp for injecting malware into the hospital network.<\/p>\n

Hospital officials could use software to ensure only authorized devices can connect<\/a>. But even then, their systems would remain vulnerable to software updates and new devices. Another key weakness comes from medical equipment<\/a> offered as free samples by device manufacturers who operate in a competitive market. They\u2019re often not tested<\/a> for proper security before being connected to the hospital network. One of our interviewees mentioned: <\/p>\n

\n

\u201cIn hospitals \u2026 there\u2019s a whole underground procurement process whereby medical device vendors approach clinicians and give them lots of stuff for free that eventually makes its way on to our floors, and then a year later we get a bill for it.\u201d<\/p>\n<\/blockquote>\n

When new technologies bypass regular processes for purchase and risk assessment, they aren\u2019t checked for vulnerabilities, so they introduce even more opportunities for attack. Of course, hospital administrators should balance these concerns against the improvements in patient care that new systems can bring. Our research suggests that hospitals need stronger processes and procedures for managing all these devices.<\/p>\n

Staff buy-in<\/h2>\n

Getting hospital administrators to understand the importance of cybersecurity is fairly straightforward: They told us they\u2019re worried about costs, institutional reputation and regulatory penalties. Getting medical staff on board can be much more difficult: They said they\u2019re focused on patient care and don\u2019t have time to worry about cybersecurity.<\/p>\n

People typically treat cybersecurity protections as secondary to what they\u2019re trying to get done. One person we interviewed described why some staff committed the cardinal cybersecurity sin of sharing a password:<\/p>\n

\n

\u201cTo use an ultrasound machine [you need a password, which] has to change every 90 days. [Staff] just want to use the ultrasound machine. It\u2019s not holding a lot of patient data \u2026 so they create a shared login so that they can provide patient care.\u201d<\/p>\n<\/blockquote>\n

The needs can vary widely across a hospital, in ways that can be surprising \u2013 such as access to sites likely to carry malicious software. A chief information officer at a research hospital told us, <\/p>\n

\n

\u201cI personally believe that hardcore pornography has no purpose on hospital supported devices. What did I do five years ago? I put up internet content filters that prevented people from navigating to pornography. Within five minutes, the director of psychiatry calls to tell me that we have a grant to study pornography in a medical context [so we had to modify our filters].\u201d<\/p>\n<\/blockquote>\n

These experiences are why we concluded that budget limitations are not as crucial to hospital cybersecurity as employee involvement. A hospital can buy as many pieces of hardware and software as it wants. If workers aren\u2019t following organizational procedures, the technology won\u2019t keep hospitals safe. Our research suggests that cybersecurity is as much about managing people as it is about technology.<\/p>\n

Compliance is not security<\/h2>\n

The threat is nationwide, and keeps getting harder to defend against, as one chief information security officer told us:<\/p>\n

\n

\u201cThe nature of attacks is increasingly sophisticated. It used to be my biggest threat was \u2026 students. Today, it\u2019s state-sponsored attacks, terrorism and organized crime. It\u2019s more threats than ever before of a more serious nature.\u201d<\/p>\n<\/blockquote>\n

Unfortunately, many hospital administrators seem to believe that protecting data is as simple as meeting state and federal regulations. But those are minimum standards that don\u2019t adequately address the threat. As one of our interviewees said, <\/p>\n

\n

\u201cCompliance is a low bar. I guarantee that little health care organizations and hospitals would do nothing (without regulation). They would have a piece of paper on a shelf called their security policy. It\u2019s needed as a backstop to get companies at least thinking about it. But being compliant does not solve the greater risk management problem.\u201d<\/p>\n<\/blockquote>\n

\"TheOur research shows that hospitals need to think beyond compliance. Also, with so few hospitals well defended against cyberattacks, all hospitals appear more attractive as potential targets. In our view, it\u2019s not enough for hospitals to improve their own defenses \u2013 nor for regulators to raise standards. They should manage, and evaluate the security of, the devices on their networks and ensure medical staff understand how good cyber-hygiene can support good patient care. Further, policymakers, health care leaders and hospitals themselves should work together to make the industry as a whole less susceptible to attacks that threaten people\u2019s privacy and their very lives.<\/p>\n

Mohammad S. Jalali<\/a>, Research Faculty, MIT Sloan School of Management<\/a><\/em><\/span><\/p>\n

This article was originally published on The Conversation<\/a>. Read the original article<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

Mohammad S. Jalali, MIT Sloan School of Management Like any large company, a modern hospital has hundreds \u2013 even thousands \u2013 of workers using countless computers, smartphones and other electronic devices that are vulnerable to security breaches, data thefts and ransomware attacks. But hospitals are unlike other companies in two important ways. They keep medical […]<\/p>\n","protected":false},"author":44,"featured_media":11955,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3410,8],"tags":[612,526,151,3465,4314],"_links":{"self":[{"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/posts\/11954"}],"collection":[{"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/users\/44"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/comments?post=11954"}],"version-history":[{"count":1,"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/posts\/11954\/revisions"}],"predecessor-version":[{"id":11956,"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/posts\/11954\/revisions\/11956"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/media\/11955"}],"wp:attachment":[{"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/media?parent=11954"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/categories?post=11954"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.lifeandnews.com\/articles\/wp-json\/wp\/v2\/tags?post=11954"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}