A career as a medical professional can be a highly rewarding pathway – for those who want to make a difference in the communities they serve, courses such as an ABSN program online provide an opportunity for a high-quality, professional pathway into clinics and hospitals throughout America.
Often, when you’re working in hospitals and clinics, there’s a level of on-the-job training that you have to complete, such as ongoing learning, awareness of company policies and procedures, and interacting with and using systems on a hospital network. These skills are typically picked up while working, and in recent years, have become increasingly significant as cyber attacks and intrusions have become the norm for even the most secure of hospital infrastructure.
As the healthcare sector continues to rely on technology to provide high-quality patient care, how can hospital staff and network administrators come together to provide a holistic, managed response to cyber threats? The answer, as it turns out, may not be as simple as first thought. Let’s explore how an evolution in the cybersecurity space is challenging traditional norms about the role of infrastructure security in the workforce, and how a mix of awareness, technology, and policy engagement must work together to tackle the challenges of tomorrow, today.
Data risks in the digital age
Why is cybersecurity a significant concern in contemporary hospitals? The answer typically supplied revolves around their role as a hub for activity – hospitals are often open twenty-four hours a day, seven days a week – from emergency departments to hospital wards, they’re a hive of activity.
Cyberattacks can be incredibly disruptive – limiting the ability of hospitals to take on new patients, disrupting their capacity to provide accurate healthcare for current patients, and putting immense strain on hospital networks that are already under pressure.
A recent cyberattack on California’s Tri-City Medical Center demonstrated just how potent an attack can be. Previously the victim of several cyberattacks in recent years, Tri-City’s systems were hit by a ransomware attack on November 9, 2023, that shut down the majority of the hospital’s emergency services. The result was an eight-day outage that forced the hospital to divert ambulance traffic to other local hospitals, putting strain on the broader healthcare system as they struggled to get the attack under control.
Unfortunately, there are more risks present than simply taking a hospital offline. Hospitals contain a wealth of patient data, typically out of necessity – to understand the individual needs of patients, they may hold personal and sensitive information such as treatment histories, insurance details, and identity documents.
While taking a hospital offline temporarily can have its advantages, being able to steal the personal information of patients can potentially open up opportunities for blackmail, fraud, and exploitation. Unfortunately for patients of the Tri-City Medical Center, patient data that was believed to have been acquired during the November cyberattack began to be disseminated online less than a month later, opening up future risks for patients and the hospital alike.
Understanding cybersecurity risks
Understanding the risks that are present in any networked infrastructure can be essential in implementing strategies and techniques that mitigate the risk of future intrusions. Hospitals notoriously contain a vast amount of digitally interconnected devices – often offering limited protection at a vendor level.
From monitoring systems, to diagnostic platforms such as MRI and CT machines, to internal dispatch and workforce management systems, complex hospital infrastructure can present significant risks. As hospital equipment might be in use for a decade or more, managing the firmware of older systems can be crucial in preventing network-based attacks.
It’s important to understand that risks are not simply a result of equipment. Humans are inherently vulnerable to attack as well – for example, a well-targeted phishing attack may allow a malicious actor to socially engineer themselves into a hospital network.
Attack vectors are not always technological – after all, a computer is only as smart as the human that operates it, and they can be just as vulnerable to manipulation as an unprotected system can be. Hospitals should consider the role that an enterprise risk framework may have in outlining the potential risks and avenues of intrusion that might come up during cyber attacks.
Investing in cybersecurity initiatives
It may seem like investing in cybersecurity initiatives is an expensive, additional cost when protecting hospital infrastructure. In reality, cybersecurity represents a drop in the bucket when compared to broader healthcare spending by developed nations.
Research from leading advisory firm Herjavec Group sought to understand the relative costs of cyberinfrastructure investment when compared to total healthcare investment. The result? Global healthcare cyber security spending was expected to grow to $125 billion cumulatively over a five-year period ending in 2025, according to the research – less than one-thirtieth the total healthcare spend in the U.S. in that same time.
Cybersecurity investment, while substantial, can go a long way to reducing the amount of downtime that occurs when a healthcare provider is impacted by a cybersecurity threat, and can go a long way in preserving organizational reputation the next time a hack occurs.
The importance of ongoing education
It’s important to recognize that knowledge is only half the battle – and that the solution to cyber risks often has to pivot between the needs of medical practitioners and the technology that serves hospital environments.
Adopting a mindset that focuses on constant education and awareness is a great way to start to protect an organization against the risks of cyber attacks. There are a few ways to do this, including strategies such as mapping out risk vectors, locking down insecure systems, and educating employees on cybersecurity awareness.
Mapping out cyber risks can sometimes be arduous, but it can go a long way in identifying areas that have lapsed cybersecurity standards, such as outdated networking firmware. Locking down systems can also help to protect hospitals from exploits such as zero-day malware and other damaging exploits.
Educating employees on how they can demonstrate positive cybersecurity hygiene, such as regularly resetting passwords and ensuring that they’re aware of common security risks, can also go a long way toward protecting systems from malicious actors.
As we can see, healthcare systems present an enticing opportunity for malicious actors to disrupt not only hospital infrastructure, but expose the personal medical details of patients when they are most vulnerable. To be well-prepared to protect healthcare infrastructure from malicious cyberattacks such as malware and phishing, stakeholders at all levels must be aware of what they can do to protect themselves and their patients.
While it’s not explicitly taught in a course, understanding the cyber risks that medical staff face can go a long way to making a positive difference in today’s highly digital world.
Featured image credit: Mingwei Lim/Unsplash.