South Florida Hospital News
Thursday February 27, 2020

test 2

June 2019 - Volume 15 - Issue 12




Cybersecurity in the Healthcare Industry – Challenges and Best Practices


Valued at trillions of dollars, the U.S. healthcare industry is growing in size each year. Not only does the industry provide invaluable medical and clinical services to American consumers, it is host to extremely sensitive and valuable information, including:
• Personally Identifiable Information (PII)
• Payment Card Information (PCI), and
• Protected Health Information (PHI) via
• Electronic Medical Records (EMR)
As a result, the U.S. healthcare industry is an increasingly attractive target of cyber-attacks by:
• Nation-state actors
• Organized cybercriminals
• Hacker groups
• Company insiders
The threat of attack is very real—and the consequences are potentially deadly. According to recent survey data from BDO in partnership with the American Hospital Association, more than half of hospital CEOs predict it is at least somewhat likely that a hospital or health system in their service area will experience a cyber breach that interferes with critical medical systems and causes physical harm to one or more patients in the next five years.
Recent Cyber Events in the Healthcare Industry
Most of the reported attacks in the industry are based on ransomware infections—where the data is held “hostage” until a ransom is paid—installed to the device or computer network either through targeted spear-phishing attacks or "scattershot attacks" (i.e., unfocused, and often generic attacks). The vast majority of malware attacks in the healthcare industry are delivered via file attachments or URLs that link the user to malicious code. Malicious URLs were the preferred vehicle in 2018.
Malware attacks are not a unique industry phenomenon. However, the relatively large number of successful cyber-attacks on U.S. health organizations indicates that the computer systems in the healthcare sector are systematically ill-protected. Vulnerability to intrusion is further compounded by growing adoption of artificial intelligence (AI) and the Internet of Things (IoT)—which, while a critical engine of industry innovation, also create new avenues of attack.
BDO’s 2019 Middle Market Digital Transformation Survey found that 36 percent of midsized healthcare organizations are already deploying AI solutions, and another 44 percent are considering AI deployment. Meanwhile, almost half (49 percent) of midsized healthcare organizations are deploying IoT technology, with another 39 percent considering deploying it. Moreover, according to healthcare cybersecurity firm Cynerio, the number of connected medical devices alone is currently estimated at 10 billion and is expected to reach 50 billion within the next 10 years. While manufacturers are ultimately responsible for identifying and remediating potential cyber vulnerabilities associated with their medical devices, they are only meant to be the first line of defense.
With the infiltration of technology into healthcare, consumers expect care to be available at their fingertips, personalized to their individual needs and preferences. They want digital health solutions. Taking patient needs into account, health organizations must determine what digital initiatives are needed to be competitive in the future—while also employing a threat-based cyber approach to anticipate what type of cyber risks could hinder or even arise from those initiatives. Any disruption, failure or security breach may result in not just monetary loss but the loss of life.
Ten Cybersecurity Best Practices for the Healthcare Industry
1. Prepare for complexity
2. Be ready for the unexpected
3. Take time to review and approve budgets, prioritizing spending based on level of threat
4. Create a cybersecurity culture
5. Develop and test a breach communication plan
6. Implement cybersecurity for medical devices in alignment with FDA post-market guidance
7. Systematize the collection of threat intelligence
8. Provide cybersecurity education and training
9. Perform third-party/vendor cyber risk assessments
10. Conduct timely incident response in accordance with the HIPAA Breach Notification Rule
Once the sole prerogative of the IT department, cybersecurity is now the shared responsibility of all healthcare professionals. Part and parcel to their commitment to patient safety and quality, every healthcare professional must possess an understanding of the nature of the cyber challenges facing the industry and adopt proven best practices to mitigate cyber risk.

Gregory Garrett is Head of U.S. and International Cybersecurity, BDO.

Alfredo Cepero, Managing Partner
Angelo Pirozzi, Partner
646-520-2870 /
Share |