Want to fight ransomware? Set minimum standards, prioritize education

As cyberattack become increasingly common incidents, healthcare professionals must push security to the forefront. In a presentation given at the annual meeting of the Radiological Society of North America (RSNA) in Chicago, Jim Whitfill, CMO of innovation Health Partners and president of Lumetis, described the current cybersecurity environment and detailed how professionals can take steps toward improving privacy.

This year, the ransomware market is projected to earn as much as $1 billion a year—a dramatic increase from only $24 million in 2016. Additionally, the $50 value per medical record vastly outweighs the value of other stolen information. Email information, for example, is sold for about $5 per account.

Whitfill warned of an impending massive cyberattack, much like WannaCry, if healthcare information security doesn’t improve. A key to fighting such threats starts with understanding the shortcomings of healthcare IT security, identifying adversaries and developing comprehensive security programs.

Whitfill discussed common security concerns such as operational security gaps, unpatched software, lack on encryption and authentication, and application vulnerabilities. Today’s hostile online environment is host to a number of threats to healthcare cybersecurity. In his presentation, Whitfill explained how hacking has become an easily learnable skill with the unlimited resources being posted on sites like YouTube.

As it stands now, the state of healthcare security has room for improvement in both the hospital and medical device setting. Healthcare organizations spend an average of 4 to 6 percent of IT budget on security, a much lower percentage when compared the 12 to 15 percent investment of the financial industry. The low funding by healthcare organization may explain why 94 percent of medial institutions have experienced a cyberattack. Unfortunately, the security of medical devices is also neglected because most vendors are stuck trying to find skilled developers and build security awareness.

Possible actions in reducing the risk of cybersecurity threats include the setting of security standards that are concise, risk based and could be used as a template for reviewers, vendor questions and risk determination. Setting minimum standards to prioritize high-risk attributes would also help decrease threats while streamlining the security process. Overall, developing an all-inclusive security program would contain an in-depth defense strategy, network segmentation of medical devices and continuous education for employees.