When it comes to cybersecurity, don't overlook staff education

In April 2014, the FBI issued warnings about the healthcare industry's vulnerability to cyberattacks. In particular, the agency called the possibility of increased cyberintrusions likely, given the combination of the shift to online systems and a lack of preparation by most organizations.

Nearly two years later, the FBI has its hands full as those warnings have come to fruition.

Hospitals and payers are in full panic mode in the wake of recent highly publicized attacks. The latest example is Monday's cyberattack on MedStar Health, which operates 10 hospitals in the District of Columbia and Maryland. The FBI is investigating the incident as a possible ransomware attack, the same kind that paralyzed Hollywood Presbyterian Medical Center in February before executives opted to pay $17,000 to get control of its systems back.

The incident at MedStar is so bad, according to the Washington Post, that some patients have even been turned away.

While employees at MedStar, Hollywood Presbyterian and other health systems all likely have been trained on cybersecurity, it bears repeating that staff education matters.

In talking to several hospital information security managers and CIOs at the Healthcare Information and Management Systems Society's annual conference earlier this month in Las Vegas, cybersecurity--and in particular ransomware--certainly was top of mind. Many indicated they had stopped the spread of ransomware before it hit mainstream networks, but would not have been able to do so without the help of vigilant employees.

On a recent audiocast posted to the American Hospital Association's website, Mary Ellen Callahan, a partner at Jenner & Block who serves as AHA outside counsel for cybersecurity issues, preached a similar mantra.

"Try to educate your entire workforce," Callahan said. "Also, make sure that you backup your data regularly. Make sure that your software systems are up to date. Making sure that you have good hygiene throughout your whole infrastructure will really help to prevent" such incidents.

Mike Overly, an information security lawyer at Foley & Lardner LLP, called the human component to breach prevention critical.

"In most instances, ransomware attacks result from human error: opening a file from an unreliable source," Overly told FierceHealthIT in an email. "This type of error can only be addressed through user training and clear policies."

What's more, during a recent FierceHealthIT webinar focusing on privacy and security, both Aaron Miri, CIO at Dallas-based Walnut Hill Medical Center, and Meredith Phillips, chief information privacy and security officer at Detroit-based Henry Ford Health System, discussed the importance of ensuring such training becomes part of the normal culture of an organization.

"It shouldn't be easy to access data; it shouldn't be," Miri said. But, he added, security also does not need to be onerous and burdensome.

"It's about engraining" security as a habit, he said.

Education won't prevent all cybersecurity incidents from occurring; hackers continuously seem to find new ways to breach systems every day.

If done the right way, however, it could mean the difference between life and death for some patients. - Dan (@Dan_Bowman and @FierceHealthIT)