Since the beginning of the pandemic, the healthcare industry has seen a significant rise in cyberattacks. The combination of the pandemic’s effects — crowded facilities, expanded telehealth usage, exhausted workers — with more reliance on medical devices has left the industry vulnerable to cybercriminals.
The response plan for a compromised medical device should include contacting the device manufacturer. The security of medical devices should be addressed from the time the medical provider contracts to purchase the device. Obtain information from the manufacturer regarding the security of the device, such as the Manufacturer Disclosure Statement for Medical Device Security.
Hospitals and health systems are increasingly dependent on sophisticated medical devices for patient care and maintaining safety, but not all are ready to respond effectively when hackers access those devices. Risk managers should ensure an effective response plan is in place that is well practiced and ready to deploy at a moment’s notice.
The U.S. Department of Justice is pursuing an initiative aimed at uncovering and punishing government contractors with insufficient cybersecurity or who fail to report breaches. The agency is wielding the False Claims Act as a primary tool.
Class actions stemming from ransomware attacks are becoming increasingly common as the public awakens to the likelihood these episodes often are accompanied by data extradition and breaches. In the last two years, it has become increasingly common for consumers who are concerned about their own data exposure to file class actions against companies (including cloud software providers and healthcare companies).
Cyberattacks are a major threat to healthcare organizations, with the potential for HIPAA data breaches, the loss of critical patient data, the inability to provide care, and substantial financial losses from ransoms and litigation. The White House is urging hospitals and health systems to take specific steps to improve cybersecurity.
To implement a cybersecurity solution, one needs to understand the four pillars of cybersecurity — Cybersecurity Awareness Training, Cybersecurity Audit, Vulnerability Scanning, and Penetration Testing.