To 'do no harm,' invest in cybersecurity

In a new twist on the Hippocratic Oath, infosec experts say hospitals must protect patient safety by identifying the areas most vulnerable to cyberattacks and deploying effective strategies to secure their networks.
By Kat Jercich
03:28 PM

When it comes to cybersecurity issues, many in the healthcare industry likely recognize the importance of protecting patient medical data. 

However, as Fairview Health Offices Chief Information Security Officer Judy Hatchett and Proofpoint managing director of health practice Ryan Witt pointed out in a recent HIMSS20 Digital presentation, cybersecurity is also about protecting patients themselves.

"'Do no harm' is a principle that I know … providers hold dear," said Witt in his talk with Hatchett, Why Cybersecurity Is a Core Component of Patient Safety. "Patient safety is a component of that."

Witt, a HIMSS Cybersecurity, Privacy & Security Committee member, explained that security and data breaches can lead to service outages at healthcare facilities, which in turn can compromise patient health in a real way.

When a facility has "downtime as a result of a cyberattack, almost by definition you are doing your patients harm," Witt said.

According to a 2019 American Medical Association-Accenture Medical Cybersecurity Survey, 36% of health institutions were unable to provide care for at least five hours as a result of cyberattacks.

"Any sort of cybercriminal activity that drives downtime, that interrupts your system ... is potentially impacting patient care," Witt said. 

Hatchett and Witt said that the majority of cybercrime occurred using phishing – with bad actors often impersonating trusted contacts like the Centers for Disease Control and Prevention, the World Health Organization, and others. 

This tactic is especially notable amid the coronavirus crisis, they said, as message recipients are more likely to be looking for reliable information from health organizations.

"Any time of email compromise is always going to be the number one threat vector," said Hatchett.

However, she said, it's also vital to be conscious of the ways a system is protecting connected medical devices, both for the sake of patients who rely on those devices and for the security of the system itself.

Hatchett and Witt also warned about employees' habits of posting too much information about their professional role on LinkedIn or other social networking sites, as it may make them a target for criminals.

This is especially true for those who hold more frequently attacked positions, such as nurses, pharmacists and researchers.

"Who doesn't want to brag about what they do on LinkedIn?" Hatchett said. "But there is some risk in doing that. … Put some thought into how much you're putting out there."

HIMSS20 Digital

Experience the education, innovation and collaboration of the HIMSS Global Health Conference & Exhibition… virtually.

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.