Cybersecurity and Hospitals: A Board Perspective
Cybersecurity is an important issue for both the public and private sector. At a time when so many of our activities depend on information systems and technology, it is not surprising that, when we think about our organizations’ vulnerabilities, our information infrastructure must be high on the list. Moreover, hospitals and health systems play a particularly important role because they are part of the United States’ critical infrastructure – that is, their systems and assets are considered so vital to the country that their impairment as a result of a cyber attack would pose a threat to the nation’s public health and safety.
Members of a hospital’s board have the responsibility to understand, at a high level, the risks and vulnerabilities the hospital faces with respect to cybersecurity, as well as the executive leadership’s security and response plans.
The Rising Threat
According to data reported to the Office of Civil Rights at the Department of Health and Human Services (HHS), hacking or IT-related incidents in health care compromised the records of 111 million Americans, or one in three in 2015. The largest breaches were health insurers – such as Premera and Anthem. However, we are seeing an uptick in targets on hospitals and other health care providers.
In 2016, we saw the rise of ransomware, and health care organizations were among those frequently targeted. 2017 has brought even more attacks. In May, businesses around the world were affected by the massive WannaCry attack that targeted banking and health care entities in particular, grinding the United Kingdom’s National Health Service to a halt. A month later, a form of malware known as Petya infected computers world-wide. Among the hardest hit was Nuance Health Care, a medical transcription software company. Weeks after the attack, Nuance was still struggling to get its systems back online, forcing many hospital and health system customers to implement workarounds.
A successful breach is expensive. Experts estimate the cost to be $363 per record in health care – higher than the $217 average across all sectors in the U.S. – due to the type of information. It is easy to cancel a credit card, but harder to deal with lost medical information