Seven Best Practices to Guard Against Hospital Cyberattacks

Jeff Adams
Senior Vice President

October is cybersecurity awareness month, a perfect time to blog about how hospitals are challenged by cyberattacks.

Hospital cyberattacks are prevalent – and costly.

Just ask CommonSpirit Health, which experienced an ‘IT security incident’ on October 3 at an undisclosed number of facilities in multiple regions. In the near-term, the attack “took patient records offline, forced ambulances to divert and delayed treatments.” The longer-term impact is still unknown.

A poll of 641 IT and security leaders found that “89 percent of the surveyed organizations experienced an average of 43 attacks over the past year – averaging almost an attack each week.”

Given the prevalence of cyberattacks, it’s not surprising there are consequences, deadly ones. In the same survey I mentioned above, a small percentage of hospitals experiencing the four most common exploits – ransomware, cloud compromise, supply chain disruption and phishing  –  admitted they have “subsequently experienced increased patient mortality rates.”

Other costly impacts are:

  • The average total cost for the most expensive cyberattack was $4.4 million. This figure includes direct cash outlays, direct labor expenditures, indirect labor costs, overhead costs and lost business opportunities.
  • 50 percent of respondents said their organization experienced a supply chain attack, and more than two-thirds of those respondents said it disrupted patient care.
  • Two-thirds of IT and security leaders that experienced a ransomware attack said it caused “delays in procedures and tests that resulted in poor outcomes” and increases in patients transferred or diverted to other facilities and in complications; 59 percent said it resulted in longer lengths of stays.

Increasingly, the focus of cyberattacks, according to a report from Critical Insight, is on “smaller healthcare companies and specialty clinics without the resources to protect themselves, instead of larger health systems that generally have more sophisticated security.”

Seven Best Practices to Mitigate the Risk of Cyberattacks

Knowing the prevalence and costs of cyberattacks, savvy hospitals – regardless of their size – are using seven practices to mitigate the risk, including:

  1. Know your environment.
  2. Develop, test and periodically review your complete disaster recovery plan.
  3. Adopt robust multi-factor authentication.
  4. Educate and train your staff.
  5. Backups need to have location gap and air gap protection.
  6. Test your security operations.
  7. Evolve to Zero Trust.

For more details about the seven best practices, click here.

Complicating hospital cybersecurity readiness is a lack of in-house expertise, staffing and collaboration with other functions.

How QHR Health Helps Hospitals Prevent Cyberattacks:

We offer three services to help ready hospitals and health systems for cyberattacks:

  • Virtual CIO: Independent hospitals often are challenged to recruit suitable CIOs. Interim and part-time virtual CIOs can bridge the gap.
  • Cybersecurity risk assessment: Cyberattacks are costly, and inevitable. QHR Health’s proactive assessment will determine your organization’s risk profile and identify ways to mitigate risk.
  • Technology strategy and optimization: Shrewd hospital leaders and board members know they need a tech-enabled, strategic plan and road map, but often do not have the right personnel to create and execute a plan.