Nightly Business Report

Hospital cybersecurity: It takes practice

Reza Estakhrian | Getty Images

Cambridge Health Alliance is one of many hospitals that has embraced health-care technology to improve patient care. Still, for doctors and nurses in this hospital network outside Boston, worrying about security when they input data into the system's computers requires a balancing act.

"You have the patient interaction, you have the computer, you have security and you're actually trying to think clinically about what to do next," explained Dr. Brian Herrick, chief medical information officer at Cambridge Health. "It has made things more difficult to interact with the patient."

By law, Cambridge Health is required to protect patient information. Yet recent ransomware attacks that hobbled systems at Hollywood Presbyterian Medical Center in Los Angeles, MedStar Health in Washington, D.C., and others, have made staff here more aware that they could also be targeted.

"It's one of our number one concerns, and it certainly has risen," said Herrick.

As a result, they've focused on trying to make security measures seamless and easier to use. One method they've adopted is to move away from passwords for user authentication.

"Whether it's using a fingerprint or inking your card and eliminating all those things you initially need to think about … and [ending] that habit or trend to use the same password across all platforms and applications," said David Ting, co-founder of cybersecurity firm Imprivata, which provides the hospital's IT security.

"We've known that to be a bad policy, because if you get one password you can get access to everything," said Ting, who serves on the U.S. Department of Health and Human Services cybersecurity task force.



On guard for malware

Cusomers get information from a reception desk at a UnitedHealthcare store
UnitedHealth's Obamacare exchange exit strategy
Insurance deals win over states, but Feds still in doubt

The hospital system tries to make thinking about safety a habit through staff testing. The IT security department regularly sends out phishing-style emails. If recipients are fooled and click on a link, it defaults to an online tutorial on how to spot malware.

"We probably have a 97 percent pass rate," said Arthur Ream, chief information security officer at Cambridge Health. "They think before they click … and we give them tools to figure out if something may or may not be phishing."

In the last year, they've gone one step further by putting the management team to the test. In the same way some hospitals do simulated emergency response drills, they do surprise security drills to test hospitals' responses.

"We have an outside facilitator that comes in and says, 'Here is your scenario, and now go through it utilizing your policy, your procedures and everything else,'" Ream explained. "We need to transition it down through the level from the executives, to media relations, to legal, to the medical processes in the hospital."

There's good reason for Cambridge Health to be on the defensive. According to an IBM study, health care overtook financial institutions to become the most hacked industry in 2015. Part of the reason is that health-care data is rich in personal information, so it has become valuable to identity thieves and other bad actors.

Yet hospitals aren't the only ones who should be practicing breach preparedness, cybersecurity experts said, because ransomware attackers are likely targeting other industries.

"We typically hear about hospitals and providers because they have really strict regulatory requirements that require they report these incidents," said David Damato, chief security officer at Tanium, a cybersecurity company. "It's also very obvious when you have life-saving services or technologies that are down."

Other sectors "don't have these same regulations … and it's not always obvious to the public if an organization has been attacked," he said.

At Cambridge Health, Ream said surprise breach drills have been invaluable to help the staff learn how to implement a quick, coordinated response to a breach situation.

"I think we are all well positioned to catch these issues in a timely fashion and proactively take action," he said, adding that he's under no illusion that they're immune to attack. "There is always the potential to miss a catch."