Northwell’s Mark Jarrett explains why clinicians should care about cybersecurity

A new ransomware dubbed "WannaCry" is living up to its name as it strikes out at businesses without proper data backups. Here is what we know.
As cyberthreats mount, cybersecurity is as much a patient care concerns as an IT task.

It’s been said before and will probably be said many times again: Healthcare cybersecurity is not just an IT issue.

That’s become increasingly apparent as large-scale attacks have disrupted, and in some cases shut down, hospital systems, Northwell Health Senior Vice President and Chief Quality Officer Mark Jarrett, M.D., wrote in a recent JAMA Viewpoint. As others before him, Jarrett argues that clinicians have a responsibility to adhere to basic cybersecurity precautions to protect patient data.

“They should not object to having to change passwords on a regular basis, and they should use passwords that are strong,” he wrote. “They should be wary of email phishing, a common portal of entry for hackers. Vulnerabilities, such as nonupdated software, must be mitigated; cybersecurity software must be deployed; and suspicious network activity needs to be reported. Clinicians should never assume that because their practice or organization is small, they will not be a target of hackers and malware.”

RELATED: Changing two fraud and abuse laws could help smaller providers manage cybersecurity

But Jarrett also acknowledges that small healthcare organizations do not have the funds to outsource the level of experience necessary to protect against or respond to today’s threats, and advocated for allowing larger systems to provide support to their smaller counterparts.

This was one of many recommendations outlined in a report released by the Department of Health and Human Services’ Cybersecurity Task Force in June, which called on Congress to change the Anti-Kickback Statute and the Stark Law to allow larger systems share cybersecurity resources with smaller practices. In the past, the Office of the Inspector General has granted exemptions to the law, allowing hospitals to “donate” EHR systems to physician practices to improve data sharing.

Experts estimate that more than 85% of small- or medium-sized hospitals lack a single qualified security person on staff. And even basic cybersecurity prevention efforts like patching can be a difficult task for larger institutions—and those vulnerabilities have been exploited in recent months in global malware attacks.