It’s been said before and will probably be said many times again: Healthcare cybersecurity is not just an IT issue.
That’s become increasingly apparent as large-scale attacks have disrupted, and in some cases shut down, hospital systems, Northwell Health Senior Vice President and Chief Quality Officer Mark Jarrett, M.D., wrote in a recent JAMA Viewpoint. As others before him, Jarrett argues that clinicians have a responsibility to adhere to basic cybersecurity precautions to protect patient data.
“They should not object to having to change passwords on a regular basis, and they should use passwords that are strong,” he wrote. “They should be wary of email phishing, a common portal of entry for hackers. Vulnerabilities, such as nonupdated software, must be mitigated; cybersecurity software must be deployed; and suspicious network activity needs to be reported. Clinicians should never assume that because their practice or organization is small, they will not be a target of hackers and malware.”
But Jarrett also acknowledges that small healthcare organizations do not have the funds to outsource the level of experience necessary to protect against or respond to today’s threats, and advocated for allowing larger systems to provide support to their smaller counterparts.
This was one of many recommendations outlined in a report released by the Department of Health and Human Services’ Cybersecurity Task Force in June, which called on Congress to change the Anti-Kickback Statute and the Stark Law to allow larger systems share cybersecurity resources with smaller practices. In the past, the Office of the Inspector General has granted exemptions to the law, allowing hospitals to “donate” EHR systems to physician practices to improve data sharing.
Experts estimate that more than 85% of small- or medium-sized hospitals lack a single qualified security person on staff. And even basic cybersecurity prevention efforts like patching can be a difficult task for larger institutions—and those vulnerabilities have been exploited in recent months in global malware attacks.