The use of ransomware in the most recent WannaCry attack demonstrates a broad need and importance of identifying and prosecuting perpetrators whose intention lies in disrupting the delivery of patient care and causing patient harm.
Recognizing that many of these attacks are initiated from outside of the United States and tracking such efforts may be difficult, these kinds of attacks serve as a constant reminder that the industry is in need of government support and assistance around cybercrime. Cyber-attacks continue to rise in sophistication and often times require several levels of collaboration between an organization and law-enforcement to ensure proper response.
Many articles have been written and seminars performed on how “best” to secure your working environment, so I will not reiterate what many have already communicated. What I will share is that each and every organization is at risk in one way, shape or form. As a Chief Information Officer, I recognize that our computing environment is only as strong as our weakest employee link. It is impossible to monitor all of the actions of each employee and technology is only a part of the solution. The people and process within an organization are a significant factor in the overall success or failure of an information security program. Cybersecurity is no longer just a technology problem. It is a core business issue and requires the support and assistance from the entire organization to be successful.
As a result, in addition to the investment in new data security tools and resources, several things that one should consider:
Educate, Awareness and Train – In order to change the culture of your employee base to be the front line of resistance instead of the front door of access, consistent training, education and awareness programs need to be implemented.
Fundamentals – Basic fundamental preventative maintenance, such as asset identification/classification, software patching, appropriate monitoring and proper response and recovery procedures will go a long way in deflecting many of the less sophisticated attacks.
Be Prepared – Regardless of how much you try to protect your environment, you are still at risk for an intrusion or breach. Have your executive team prepped and prepared on how to best react and respond to a situation. Time and speed are of the essence in these situations and will likely dictate the overall impact to your organization, so your executive team needs to be prepared.
Despite our individual entity best efforts, the healthcare industry is still at risk. I believe it is time for additional support to come to the aid of the industry from our law enforcement and government agencies in order better protect our computing environment.
Pennsylvania Congressman Tim Murphy, Chairman of the House Energy and Commerce Committee’s Subcommittee on Oversight and Investigations (O&I), recently held a hearing to examine this very issue, including the recommendations included in the Department of Health and Human Services’ (HHS) Health Care Industry Cybersecurity Task Force report. The congressional hearing and HHS report both highlight the immediate need for collaboration and support.
It’ time these agencies work with our industry leadership to introduce funds, technologies and resources to further protect our computing environments and most importantly the safety of our patients. Furthermore, international cooperation with agencies across the globe should be expanded in order to bring such perpetrators to justice.
Intentionally disrupting patient care is a serious offense and should be treated as such to adequately safeguard against potential negative patient outcomes of such behavior.
Mike Restuccia is the CIO of Penn Medicine.