The healthcare industry is slowly shoring up its cybersecurity defenses, but it might not be moving fast enough to prepare for a wide-scale attack like the one that hit the U.K.’s National Health Service and other organizations in some 150 nations on Friday, sources tell FierceHealthcare.
WanaCrypt0r 2.0 (aka WannaCry) ransomware attacks shut down NHS hospitals, forcing them to divert ambulances and cancel thousands of operations and other appointments. Vital equipment, such as MRI scanners and X-ray machines, were taken offline because they could not be repaired immediately.
The Department of Health and Human Services said there was "evidence" that the attack could spread to the U.S. and urged healthcare organizations to be vigilant. From lack of funding and staffing to a lack of urgency, CIOs at hospitals and health systems say the healthcare industry isn't totally prepared for a similar attack here.
“By prioritizing clinical functionality and uptime, healthcare organizations may not always have the most up-to-date software. Thus, healthcare in general may be more vulnerable than other industries to cyberattacks and the scope of the impact to the NHS in the U.K. illustrates the problem,” says John Halamka, CIO at Boston’s Beth Israel Deaconess Medical Center.
Roger Neal, vice president of operations and CIO at Duncan Regional Hospital in Oklahoma, also says he fears the industry is not prepared to take on a wide-scale attack.
“With the mass of regulation that hospitals and physicians are dealing with in a changing industry, keeping up with cybersecurity is sometimes a secondary consideration even today. It shouldn’t be, most organizations large or small don’t want it to be, but audits, new regulation and declining reimbursements are taking its toll on resource and funding priorities that push cybersecurity issues lower in priority.”
Cyberattacks pose a real threat to all organizations, says Indranil (Neal) Ganguly, vice president and CIO at JFK Health System in Edison, New Jersey.
But there is some good news, he said.
“The healthcare sector’s awareness and approaches to dealing with these threats is maturing. Many security firms have emerged or entered the healthcare space to partner with providers in implementing the best protections possible.”
Experts are touting the importance of security patches in the wake of the WannaCry ransomware attack. But it’s more complicated than that, says Halamka, in part because of legacy healthcare systems.
"Healthcare IT is always a balance of reliability, functionality and security. Each time a patch is introduced, the act of changing a mission-critical system impacts reliability and functionality,” Halamka says.
“Some mission-critical systems were created years ago and never migrated to modern platforms. In 2017, there are still commercial products that require Windows XP, for which few patches are available.”