Healthcare Cybersecurity
Hello, and welcome back to this next TomCast from GuardSight, an Iron Bow Technologies company; we are a tactical cybersecurity-as-a-service organization dedicated to helping businesses protect their data, their assets, and their endpoints.
Today we’re going to discuss a topic that has had various aspects of it in the media but not the whole story. That topic is cybersecurity in the healthcare industry, or the lack thereof. While many of the headlines over the past few years has shown various breaches, compromises, and/or leaks of healthcare information (electronic health records, financials, and more), the complete story hasn’t been told, and this simple audiocast will merely scratch the surface.
To back up a moment, there have been quite a few discussions over the past couple of decades regarding cybersecurity and the overall impact of a cybersecurity incident on something physical, up to and including a human life. Stuxnet was one of the early examples of seeing how a cybersecurity incident could adversely impact something physical (if you are not familiar with Stuxnet, look it up and read the history). People pondered how cybersecurity and actual human lives could be intertwined, with some folks thinking that the two could not impact each other outside of anxiety and stress.
Well, the impacts of cybersecurity incidents are, in fact, adversely impacting human lives and have been for a while now. I encourage all of you to take a trip across the web to a site called iamthecavalry.org, an organization founded by a gentleman by the name of Josh Corman. Some of the data off of that site should awaken most of you out there.
To paraphrase the data I am referring to, hospitals focus on the three S’es, which are space, staff, and supplies. Notice one particular ‘S’ that is missing that should (in my opinion) be included? How about security? Many hospitals out there have no security or cybersecurity staff at all. While the main focus is obviously to care for and save human life, what happens when a cybersecurity incident takes place? Nothing good I assure you.
Most hospitals have emergency funds in place that are used in case of, well just what the funds specify. An emergency. Those funds can typically last a week or two. Unfortunately, if a hospital gets adversely impacted by a ransomware attack, that can (and has) taken hospitals offline for a month or two. Yes, you read that right, a month or two (which, doing the simple math here, means the hospital can no longer remain open). So, think of your local hospital for a moment. If you are in a small town, or rural area, there is a chance your hospital fits the descriptions given above.
As you are thinking of your local hospital, think about having a medical emergency that would require you or a family member to go to said hospital. Now, imagine that hospital is not available. Where would you go? Is there another a few more miles away? Sometimes another hospital isn’t too far to travel, so it’s merely an added inconvenience to have to switch hospital locations. But wait…what if all of these local and regional hospitals belong to the same conglomerate?
Well, if the conglomerate was hit by a ransomware attack, then the entire hospital chain could theoretically be down and offline. So, where you do you go now? If this was a life threatening emergency, what happens now? I mean, that is a rather morbid rhetorical question. Starting to see the issues with having little to no cybersecurity presence?
Let’s switch focus a little. Depending on the hospital, the department, and the staff, the nurse to baby ratio in the days prior to the implementation of online technologies was anywhere from 2:1 to 5:1, meaning one nurse could effectively manage the needs of 2 to 5 babies, depending on the severity of the cases. NICU’s would be the smaller ratio of course. With the implementation of online monitoring and other technologies that have helped staff monitor and care for babies from a relatively short distance, one nurse can now watch over and manage the care for 10-15 babies (again, depending on the severity of the cases).
Well, think now of that hospital and that particular nursery being adversely impacted by a ransomware event which renders the technologies unusable. All the monitors are now offline, all of the sensors being used are now offline, and now that baby to nurse ratio is way out of whack. Nurseries are an easier example to use, but this applies to intensive care units, any areas within a hospital that provide care and life-saving assistance. There is an old saying that states “if you cannot protect it, don’t connect it”, but unfortunately we are far beyond that point where way too much has been connected without the ability to protect it all.
Mr. Corman has relayed the following sentiment several times to people all over the country:
“Through our over dependence on undependable IT, we have created the conditions such that the actions of any single outlier can have a profound and asymmetric impact on human life, economic, and national security.” This will continue to ring true until everyone in leadership and decision-making roles within the healthcare industry starts to prioritize security in addition to the current three S’s they focus their efforts on.
If you are in the healthcare industry and are a decision-maker or in a position of leadership and wish to explore ways to protect your institution, reach out to the professionals at IronBow and GuardSight sooner versus later. We can help you understand, plan, and execute a comprehensive cybersecurity strategy for your organization. Don’t wait, and don’t become one of the ever-growing statistics.
We here at GuardSight and Iron Bow thank you for taking the time to listen to this TomCast. For more information on various cybersecurity tips head on over to our website and check out more TomCasts. Those are located over on www.guardsight.com/tomcast. Or, if you would like more information on what GuardSight or Iron Bow can do for you, head on over to www.guardsight.com or www.ironbow.com and contact us. There are several free cybersecurity tools out there that can help you improve your overall security posture. We’d love to hear from you! Thanks!