Despite known best practices, perfection is still out of reach for hospital cybersecurity programs

Cybersecurity training, consistent patching and compliance with federal privacy regulations can help hospitals prevent a ransomware attack. But tradeoffs with data accessibility and portability make it almost impossible fully protect against attacks, according to a trio of legal and medical experts.

After numerous high-profile attacks, the impact of a ransomware attack on patient care is clear. Still, no “fail-safe solutions exist” and national cybersecurity contingency plans still lag behind, wrote researchers from Harvard University, Case Western Reserve University and Brown University in the Annals of Internal Medicine.

RELATED: After WannaCry, experts worry healthcare’s vulnerabilities will make the next ransomware attack even worse

“There are things we can do to reduce the risk but it is very hard to perfect IT security, especially given the needs of modern hospital systems to have things moving between places and increasing demand for patient-facing access,” I. Glenn Cohen, professor of law at Harvard University, said in a release. “To some extent, these attacks are inevitable.”

Although hospitals can adopt internal policies and procedures, a coordinated national strategy to prevent and respond to cyberattacks is a difficult task. The authors said U.S. hospitals should consider adopting a national policy not to pay ransoms and called on The Joint Commission to make cybersecurity requirements a more prominent part of the accreditation process.

But they also acknowledge the difficulty enacting and adhering to a universal policy not to pay ransoms, particularly when patient lives are on the line.

RELATED: Should hospitals pay up following a ransomware attack? The answer is far from simple

The FBI does not support paying ransoms linked to cyberattacks, but that hardline policy has softened over the years as the agency has acknowledged executives must evaluate all options when faced with interoperability disruptions. Former FBI officials told FierceHealthcare earlier this year that the decision to pay the ransom often varies depending on the hospital and the size of the attack.

“A lot of it has nothing to do with whether they want to pay the ransom or not,” said Robert Anderson Jr., managing director in the global legal technical solutions practice at Navigant and a former national security executive at the FBI who specialized in cybersecurity. “It comes down to simple business survival.”