As cyber criminals continue to wreak havoc on healthcare providers by way of ransomware, IoT attacks, and breaches of personal, protected health information (PHI), many of these attacks have had a crippling effect on healthcare’s ability to administer critical, life-saving services to patients.
For example, Campbell County Memorial Hospital in Gillette, Wyoming recently had to divert patients from its emergency room due to a ransomware attack. CCH was also forced to cancel a number of critical procedures and exams, including respiratory therapy, radiology exams, and even some surgeries. Additionally, a number of new inpatient admissions could not be processed, since the needed services could not be provided.
Numerous other hospitals and clinics have been similarly affected. N.E.O. Urology Associates in Ohio was hacked in June, with the attackers demanding $75,000 in ransom to unlock its computer system. The medical practice agreed to pay the ransom through bitcoin, in order to regain access to their system. In 2016, Hollywood Presbyterian Medical Center staff was forced to work without electronic health records and email for more than a week after an attack. A $17,000 ransom was paid to unlock its data from hackers.
Statistically, it is estimated that 2100 deaths per year can be attributed to healthcare data breaches causing delays in needed services
Especially as IoT technology grows, the impact of malware or system downtime can be devastating. One particularly disturbing report details how a computer virus may even be capable of adding tumors into CT and MRI scans, fooling doctors into misdiagnosing patients.
In general, the failure to have access to critical information can have “catastrophic” effects on numerous levels, according to the Federal Bureau of Investigation (FBI). Not only can a misdiagnosis or loss of life occur, but “the loss of sensitive or proprietary information, the disruption to regular operations, financial losses incurred to restore systems and files, and the potential harm to an organization’s reputation” can have far-reaching consequences.
The real, hourly cost of computer downtime to a company can range between $140,000 and $540,000. The real, human cost of downtime in terms of decreased patient health – especially as services increasingly depend upon internet delivery – is incalculable
Clearly, a proactive, digital security approach for healthcare – including the ability to search for and mitigate new threats (managed detection and response) – is fast becoming indispensable. This need will only increase as connected technology becomes more embedded in devices like ventilators, pacemakers, and medical lasers.
Unfortunately, many hospitals simply have not planned for things like network segmentation of IoT from other devices. This leaves numerous, unprotected channels for systems and devices to be potentially compromised. Going forward, healthcare IT administrators will need to address their “legacy infrastructure of unmanaged devices” with a strong security plan, preferably before new devices are introduced into the system.
The Benefits of an MSSP
In light of these realities, organizations who typically leverage a Managed Service Provider (MSP) for basic IT management, hardware/software support, and remote monitoring of their digital infrastructure are discovering that it may no longer be enough – especially if the MSP is lacking in advanced, cybersecurity expertise.
An experienced Managed Security Service Provider (MSSP) – particularly one who has HIPAA expertise for healthcare – can play a strategic, partnering role in shaping a strong security plan for organizations, helping healthcare organizations to:
- identify and mitigate threats which continue to grow in type and complexity. Since protected health data is at constant risk for attack, real-time analysis of networks and logs, SIEM and alerts, and encrypted servers – all important parts of a HIPAA compliant environment – can be monitored and maintained, and threats blocked before sensitive data can be compromised.
- stay on top of the latest malware and threats. Keeping abreast of and applying the latest security patches to operating systems is necessary to preserve the integrity and availability of PHI. An MSSP will be on the “front line” on your behalf, helping prevent the possibility of a costly data breach.
- preserve vital uptime, and fast response times. Keeping critical systems responsive gives physicians and caregivers the ability to respond promptly to emergent care needs.
- streamline business operations and reduce capital equipment and IT expenditures (typically used for servers, onsite data centers, maintenance, etc.), as they are outsourced to the MSSP.
- utilize an efficient, scalable environment. The opportunity to increase resources (CPUs, memory, virtual servers, etc.) in real time and optimize systems for heavier or lighter loads maximizes efficiency, without a loss in performance.
- address the human-error factor. Some MSSPs – like HIPAA Vault – offer staff training programs for cybersecurity awareness. Today’s organizations will routinely see phishing attacks,CEO fraud, internal lapses in workstation security, USB attacks, and more. Since human errors and internal actors represent a large percentage of breaches (59%), finding an MSSP who can help provide staff training programs can be a great asset for a strong defense.
Many of the above needs are beyond most healthcare organization’s ability to manage, while attempting to focus on essential services and patient care. Partnering with an experienced MSSP can free them up to do what they do best, while ensuring critical applications and data remain available.
In summary, when a malicious cyber attack interrupts a healthcare system’s vital services and even threatens a patient’s health and well-being, it’s time to reframe the need for cybersecurity as an essential part of patient care. In short, as an MSSP helps keep networks secure and services from going offline, they become an integral part of healthcare’s mission to use best practices and advanced technology in the service of saving lives.
HIPAA Vault’s Managed Services includes less-than-15 minute response times for critical alerts, and 90% first call resolution. Our dedicated IT professionals handle everything from general support questions and maintenance, to more complex issues such as advanced firewall configurations and system monitoring. In this way, we simplify your business while providing peace of mind. Typically, one monthly payment covers the management of your environment, network maintenance, security updates, and more. HIPAA Vault is dedicated to preventing the issues that impact your network efficiency and security. 24/7/365 infrastructure monitoring, routine backups, and Disaster Recovery services help your network remain available, and responsive.