Healthcare cybersecurity in the wake of WannaCry: or, how to stop worrying and love connected technology

The recent worldwide WannaCry ransomware attacks have all eyes trained on the gaps and vulnerabilities in healthcare cybersecurity. The attack was catastrophic, leaving many health systems in 100+ countries crippled without the ability to access patient health records, forcing ambulances to be delayed, operations and appointments to be canceled, and care teams resorting to ad hoc pen-and-paper records.

The attackers exploited a vulnerability in the Windows operating system, and though Microsoft quickly released a patch once the potential threat was discovered, many users failed to update their computers to install it, opening up their systems to the hackers.

And while the Windows operating system is different from, say, a wireless glucometer, large-scale hacks and data exploits like this, along with strict regulation, have hindered the adoption of connected technologies such as IoT, AI and more within the healthcare industry.

How I Learned to Stop Worrying and Love Connected Technology

Unfortunately, data breaches and cyber attacks have become so commonplace that healthcare organizations are often reluctant to work with innovative connected technologies, despite interoperability, data portability and patient satisfaction being top priorities. IoT, AI and other technologies are becoming ubiquitous to our day-to-day digital lives, despite the potential for security risks. Why shouldn’t they lead the way in healthcare delivery?

  • HealthTech breakthroughs will continue to improve the healthcare experience for patients and clinicians. Innovation in medical technology has allowed people to live longer, healthier and more productive lives. In fact, over the past 30 years, medical advancements helped add five years to U.S. life expectancy. With the advent of wearables and connected at-home clinical devices, there is an unprecedented accumulation of health data, which is rife for disruption. The prevalence of digital and connected technologies, particularly with the adoption of EMRs and rise of patient-generated data will test the boundaries of interoperability, predictive analytics and data security.

  • Startups can help provide large healthcare organizations with the security answers. Large healthcare organizations can bolster their cybersecurity best practices by borrowing from an agile startup approach and workflow: embrace the new. Be open to adopting new cybersecurity solutions that have been developed. Partner with companies that provide better data insights to protect and enhance critical business and system functions. Make information accessible to everyone within engineering, encouraging a culture of empowered, proactive team members. Information democratization will ensure employees can raise red flags and pursue security-first approaches.

Creating a Proactive, Security-First Approach

Personal Health Information (PHI) is incredibly sensitive, and there will always be the potential for outside threats. However, there are a number of steps that healthcare system managers can take to stave off ransomware and other cyber attacks.

  • Continually educate your entire staff, not just the IT or engineering team, about common security threats and how to mitigate them. Any employee accessing your EMR or other data systems could potentially be an unwitting conduit for an attack.

  • Conduct regular internal audits for vulnerabilities, and form a plan to address each of them as they arise. This should include technical and physical safeguards, and can be key in identifying what process or technology needs to improve and how to handle a data breach, should one occur.

  • Encourage your IT team to stay updated with the latest cybersecurity vulnerabilities and how the industry is evolving. Two ways that I personally stay updated is by reading Bruce Schneier’s blog (Chief Technology Officer, IBM Resilient) and listening to the Security Now podcast.

  • Do not enforce ineffective password updating policies. According to the FTC, requiring frequent password changes leads employees to create weak or recurring passwords that are easy to crack. Instead, consider using password generators to generate unique, complex passwords every time a user logs in.

  • Ensure complete follow-through when combatting vulnerabilities. Quickly communicate the threat and the way to mitigate it to your entire staff. Then, conduct a thorough inventory audit to determine which team members actually followed through on the steps needed to protect the system. Make sure that those who have not completed the necessary updates do so as soon as possible.

I hope that the WannaCry attack was a wake-up call for many in the healthcare industry. By systematically adopting new technology, being proactive and making security an organization-wide issue, we can combat another large-scale data breach.