The past few days have been filled with reports about the ransomware impact on the UK National Health Service. Was the NHS specifically targeted? No. Was it uniquely vulnerable? Yes.
I’ve been a chief information officer overseeing health care institutions and academia for more than 20 years. In that time, I’ve identified five reasons that health care is more vulnerable than most other industries to security issues.
- A small market.There are 5,564 hospitals in the United States. That means that many health care software vendors have a total of 5,564 customers. This relatively small market means that many niche developers may not have the resources to update their applications frequently. Yes, the comprehensive electronic health care records companies do issue updates, but what about that application helping your cardiologist, GI specialist, or Ob/Gyn do their job? They may have a mission critical system that is years out of date. In 2017, there are still health care applications that only run in Windows XP, an operating system no longer supported (or patched) by Microsoft. An XP patch was issued over the weekend for the specific bug exploited by the ransomware, but that is exceedingly rare.
- It’s built from the bottom up.Many industrial companies are top down, command and control. There is one set of technologies and policies that apply to all employees. Companies buy specific phones and laptops for employees and offer few options for work-related computing. The United States does not have a top- down health care system. Instead, it has a decentralized, loosely connected collection of hospitals, clinics, labs and pharmacies with no all- powerful leader. Every one of these organizations has different technologies, policies, and cybersecurity educational programs. But what about within a given hospital? Although there are exceptions such as Kaiser Permanente, most hospitals own the facility but not the doctors. Imagine if Toyota owned the factory and independent workers arrived every day to build whatever car they wanted. That’s how hospitals work. CIOs have no authority to tell clinicians they must run a specific brand of corporate-approved phone, and they certainly do not have the budget to buy them for anyone.
- Under spending. How much does your financial services company spend on technology every year? Likely more than 25 percent of its budget. How much does your hospital spend on information technology? Likely under 4 percent. If you are a bank robber, will you go after a company that spends one quarter of its resources on building vaults or will you after the company that tries very hard but spends less than one-20th of its resources on vaults? You’ll go where the money is the easiest to steal.
- No tolerance for inconvenience or downtime. Security patches for operating systems and applications are issued every day. Sometimes the cure is worse than the disease. Patches can disrupt existing applications, shut down servers, or cause network slowness. Every patch needs to be tested before it is applied and only installed when there is confidence it will do no harm. Clinicians are stressed and often overwhelmed in their jobs. They have little tolerance for downtime or any reduction in technology functionality. The challenge is to implement constant change and innovation with patches and upgrades while never disrupting clinical work or causing safety concerns. That is like changing the wings on a 747 while it’s flying. Thus, health care organizations may not have all the latest patches installed.
- Medical devices expose systems to more threats. Hospitals not only have thousands of computers, phones and laptops: they also have thousands of medical devices connected to the network. IV pumps, X-ray machines, and heart monitors sound like appliances, but in reality they are computers with network connections. Many of these medical devices have little to no security protections because manufacturers never assumed they would be attacked. Some manufacturers claim that adding security patches would require that the devices be re-approved by the Food and Drug Administration. This is not true.
What can we do to improve cybersecurity resilience in health care?
- Attitudes toward technology need to change to allow occasional short- term disruptions and inconvenience when high- risk security issues arise. By providing additional security, health care organizations can ensure the long term availability of their applications and the integrity of patient data.
- Policies need to be more restrictive and limit the devices that members of the health care community can use and the activities they can perform. There should be no expectation that certain websites, downloads, or applications can be accessed from work related devices.
- Ongoing education is key — including active testing of user behavior. If someone clicks on a link in an email that promises thousands of dollars from an overseas businessman, they should be rewarded with mandatory security and compliance training.
Still, there is no magic bullet solution to the cyber security challenges faced by all industries, especially health care. Government, academia, and industry must work together to ensure our technology tools are safe, reliable and protected from those who attack them.