Rural hospitals are more vulnerable to cyberattacks – here's how they can protect themselves

Cyber incidents at healthcare organizations have become a regular occurrence in recent years, with ransomware attacks and hacking sometimes leading to weeks-long network shutdowns.  

And although hospitals and health systems are vulnerable regardless of location, experts say that rural facilities – which often have fewer resources to put toward cybersecurity – may be especially at risk.  

“It’s an interesting dilemma, because they’re vulnerable from a cybersecurity side, but also they’re more vulnerable when it comes to longevity as a business,” said Baha Zeidan, CEO of Azalea Health, which provides health IT service to more than 800 hospitals and clinics, primarily in the rural United States.  

“They’re under a lot of pressure,” Zeidan said.

Considering the challenges rural hospitals frequently face around funding and patient volume, among other issues, Zeidan said, “How do you get them to focus on cybersecurity, and make cybersecurity bubble to the top?”  

Zeidan proposed secure cloud delivery of applications as one potential solution. This strategy, he said, would allow health facilities to lean on outside experts to help manage their network.

“For a small hospital … they can’t spend a huge percentage of their revenue on security,” he explained. “A cloud provider can invest in monitoring, upgrading, making sure they have all the right, secure tools to protect that environment.”  

But cloud-migration projects can have their own drawbacks.   

Greg Pollock, vice president of product cyber research at UpGuard, notes that smaller facilities with fewer people on a dedicated onsite IT team are certainly at risk for ransomware attacks.  

At the same time, he said, they’re unlikely to have the kind of “organizational breakdowns” that lead to another kind of data vulnerability: leakage.  

“Data leaks are largely a function of the number of people you have,” said Pollock.   

For instance, UpGuard recently released a report showing leaks from dozens of entities as a result of a Microsoft Power Apps default permissions setting. 

Because smaller hospitals are less likely to embark on enormous cloud-migration projects, they may be less prone to this particular issue, said Pollock. “Most data exposure issues do arise from data cloud storage or posting stuff on GitHub,” he said.

“My model for risk for a rural hospital is: You’re going to get hit by a ransomware attack because you’re running old Windows products,” he added. “The two people running IT there may have oversights due to being human and a small team … but those people are far less likely to leak stuff on GitHub or cloud tech.”

Speaking to that concern, Zeidan noted the responsibility for training staff to both prevent data leaks and be prepared to respond to attacks. 

“Just like you have HIPAA training and privacy training, you have to have enough training around cybersecurity,” he said. It would also be helpful for the government to do more to help, he added.  

President Joe Biden has requested billions of dollars toward bolstering cybersecurity efforts, but it’s unclear how much of that – if any – would trickle down to small hospitals looking to shore up their defenses.  

“If I am feeling insecure and being attacked, I call 911,” said Zeidan. “Why can’t we do that for cyber? Why is the government not stepping into that level?”   

“Our digital life and real life [are] intersecting more and more,” he added. “I feel like the government is a little bit behind when it comes to that side … I’m hoping the government will take that seriously and step in to help the small and midsize providers.”  

In the meantime, say the experts, there are a number of ways rural hospitals can protect themselves.  

“Hospitals need to use IT security technology [that] does not rely on nontechnical members of staff to make security decisions,” said Nigel Thorpe, technical director at SecureAge.  

“Cybercriminals will always be one step ahead of technologies that attempt to identify, then block, malware, so IT security systems need to take a more pragmatic approach which allows for people to make the wrong choices – and then block anything that’s new and unknown.   

“Other measures include the traditional mantra of keeping reliable, tested and offline backups; ensuring that a disaster recovery plan has been worked out and tested; and using multifactor authentication,” he continued.

And if a health system does come under attack, Thorpe said, getting systems back online is critical – especially in regions where the facility might be the only one available for miles.   

This past year, a woman in Germany died in what many believe was the first fatality connected to a ransomware attack, after her ambulance had to be diverted to another hospital 20 miles away.  

“It is likely that the quickest way of recovering from an attack is to rebuild all affected systems. This is where having a reliable backup mechanism is very important, and equally important is the disaster recovery plan, so that IT staff do not have to think through what they need to do –  it should just be a mechanical operation,” said Thorpe.  

In cases where an IT team is remote, he said, “If there are initial procedures that on-site nontechnical staff can perform under instruction from remote IT administrators, then this approach can save valuable recovery hours.”  

It’s vital, said Zeidan, for health systems to look at cyber threats with the same lens they would any other risk to the system.  

“It’s as serious as not having enough beds for COVID-19 patients,” he said.  

“We feel cybersecurity is a public health issue. It has to be thought about from a public health mindset,” he said.   

“If we shut down a hospital, we’re denying care to a population.”

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: [email protected]
Healthcare IT News is a HIMSS Media publication.

Source: Read Full Article