By Terry Bradley March 30, 2016
This week’s news that MedStar Health has suffered a serious computer security incident that has forced them to “turn away patients” (https://goo.gl/j2fFhY) comes as no surprise to anyone familiar with state of network security in the medical industry. This week’s attack is just one of several high-profile incidents at major hospitals that not only threaten these providers ability to operate, but could impact the very safety of the patients they’re trying to help (see also: http://goo.gl/ocmZUp and https://goo.gl/LE45tI).
Focused for years on compliance with the privacy requirements of HIPAA, most health care providers have not even begun to address the more difficult challenges of protecting their networks and data from skilled attackers that are actively seeking to gain access to increasingly lucrative patient personal information. The recent spate of ransomware attacks, however, has shown that stealing patient information is not the only way medical providers are being attacked. Direct extortion is clearly a viable option and may be happening in conjunction with more subtle attacks that steal patient data.
What’s a health care provider to do? I’d recommend immediately allocating two new budget line items. The first pot of funds would be for a “baseline security assessment” that would determine the organization’s current cyber security posture and create roadmap of projects / investments needed to address the deficiencies the assessment is certain to reveal.
What’s the second budget line item for? It would be for buying some bitcoins, which may be needed even sooner that a security assessment can even get started.