As every aspect of our healthcare technology infrastructure grows, so does our reliance on the internet, large networks, and third-party collaborators to maintain an efficient system. However, as our connectivity grows, so does our risk from large-scale cybersecurity attacks. At the recent West Texas Cybersecurity Workshop hosted at the McInturff Conference Center, cybersecurity experts joined information technology professionals and regional CEOs to outline the real-world risks of hacking organizations.
Moderator and veteran FBI and CIA cybersecurity guru John Riggi carefully outlined modern threats to hospital networks. Subjects included where threats are coming from, how vulnerabilities occur, what happens after threats are detected, the fallout of security breaches, and how to prevent or mitigate the damage of network breaches. One of the most common methods of hacking organizations involves using “ransomware,” or technology that spreads through healthcare networks, locking down systems behind a unique key. The whole system is held hostage until a “ransom” is paid.
In some cases, ransomware attacks can cost hospital systems millions of dollars, either in direct ransom payments to release locked systems or the general loss of revenue resulting from the initial security breach. But worse, and in some ways unique to a hospital system, the substantial effects of ransomware attacks may result in a slow-down or halting of life-saving services. Patients are put at risk as a result. Mr. Riggi said, “These attacks can affect everything, including email and phone, but even more critical hospital technologies like telemetry, access to medicine cabinets, and imaging and radiology.” He went further and defined a substantial ransomware attack, essentially, as a “slow-rolling mass casualty attack.”
A panel of hospital leaders and representatives shared their experiences dealing with cyberattacks. Each story portrayed vivid and serious scenarios that could occur if cybersecurity policies and software aren’t sufficient. In each case, the breaches came in nearly-indetectable ways. One breach happened through a third-party payroll system, highlighting how cybersecurity risks include the entire umbrella of hospital systems. Another case resulted from a low-level employee falling victim to a “spoof” email in a phishing attack. In both cases, hospitals lost hundreds of thousands of dollars, and the high-tech systems that even small regional hospitals depend on were relegated to manual processes.
Mr. Riggi assured the attendees, “The problem is difficult, but it’s not insurmountable.” The moderators offered relevant, on-the-spot challenges to cybersecurity professionals and CEOs in attendance and advised them carefully on how to protect their hospital systems and their patients. Training, like that offered to all UMC employees, about phishing emails and cybersecurity threats is essential because a breach can happen at any level. He asserted the importance of common system backups, of practicing our day-to-day activities manually and without the support of sophisticated technology. Insurance companies also provide services that help hospital systems negotiate in the case of ransomware attacks and mitigate losses resulting from a systems breach. Ultimately, Mr. Riggi reminded those in the audience that cybersecurity is everyone’s job and that hospital systems should be proactive instead of reactive regarding cybersecurity threats.
Brenda Rose, Director of IT Security and CISO, reflected on the importance of the Cybersecurity Workshop, saying, “UMC takes an active part in connecting with industry and government cybersecurity leaders for staff to gain defensive skills and in-depth knowledge to meet the challenges of today’s cyber threat landscape.”