Want to fight ransomware? Set minimum standards, prioritize education

As cyberattack become increasingly common incidents, healthcare professionals must push security to the forefront. In a presentation given at the annual meeting of the Radiological Society of North America (RSNA) in Chicago, Jim Whitfill, CMO of innovation Health Partners and president of Lumetis, described the current cybersecurity environment and detailed how professionals can take steps toward improving privacy.

This year, the ransomware market is projected to earn as much as $1 billion a year—a dramatic increase from only $24 million in 2016. Additionally, the $50 value per medical record vastly outweighs the value of other stolen information. Email information, for example, is sold for about $5 per account.

Whitfill warned of an impending massive cyberattack, much like WannaCry, if healthcare information security doesn’t improve. A key to fighting such threats starts with understanding the shortcomings of healthcare IT security, identifying adversaries and developing comprehensive security programs.

Whitfill discussed common security concerns such as operational security gaps, unpatched software, lack on encryption and authentication, and application vulnerabilities. Today’s hostile online environment is host to a number of threats to healthcare cybersecurity. In his presentation, Whitfill explained how hacking has become an easily learnable skill with the unlimited resources being posted on sites like YouTube.

As it stands now, the state of healthcare security has room for improvement in both the hospital and medical device setting. Healthcare organizations spend an average of 4 to 6 percent of IT budget on security, a much lower percentage when compared the 12 to 15 percent investment of the financial industry. The low funding by healthcare organization may explain why 94 percent of medial institutions have experienced a cyberattack. Unfortunately, the security of medical devices is also neglected because most vendors are stuck trying to find skilled developers and build security awareness.

Possible actions in reducing the risk of cybersecurity threats include the setting of security standards that are concise, risk based and could be used as a template for reviewers, vendor questions and risk determination. Setting minimum standards to prioritize high-risk attributes would also help decrease threats while streamlining the security process. Overall, developing an all-inclusive security program would contain an in-depth defense strategy, network segmentation of medical devices and continuous education for employees.

""
Cara Livernois, News Writer

Cara joined TriMed Media in 2016 and is currently a Senior Writer for Clinical Innovation & Technology. Originating from Detroit, Michigan, she holds a Bachelors in Health Communications from Grand Valley State University.

Around the web

The tirzepatide shortage that first began in 2022 has been resolved. Drug companies distributing compounded versions of the popular drug now have two to three more months to distribute their remaining supply.

The 24 members of the House Task Force on AI—12 reps from each party—have posted a 253-page report detailing their bipartisan vision for encouraging innovation while minimizing risks. 

Merck sent Hansoh Pharma, a Chinese biopharmaceutical company, an upfront payment of $112 million to license a new investigational GLP-1 receptor agonist. There could be many more payments to come if certain milestones are met.