“Eternal vigilance is the price of liberty.” This phrase, or the inversion of it, has been attributed to different Americans of notable status since at least 1809. The famous aphorism, in its original context, was meant as a warning against would-be tyrants within government circles; but it can also be directed toward other threats. There is certainly a need for such vigilance in the face of modern cyber attacks in the healthcare space. In fact, we have received yet another reminder of this need in recent days.

The Threats We Face

Becker’s Health IT is reporting that patients and providers from numerous subsidiaries of Chicago-based CommonSpirit Health continue to experience “the ongoing effect of an unidentified IT security incident” that began on or about Oct. 3. The attack, which was directed at CHI Health facilities in Nebraska and Tennessee, Seattle-based Virginia Mason Franciscan Health providers, MercyOne Des Moines Medical Center and Houston-based St. Luke’s Health, caused electronic medical record (EMR) outages, information technology (IT) system disruptions, as well as serious delays in patient care.

The presumed cyber-attack also caused St. Michael Medical Center to take several computer-based systems offline, including those used for viewing x-rays, MRI’s, physicians’ orders and obtaining access to medical history of patients. It has also resulted in an outage of MyChart, according to Becker’s. This has led to the cancellation of appointments relating to multiple minor and major procedures at this facility.

Though CommonSpirit has yet to confirm the details of the attack or if patient information was compromised due to the incident, a person familiar with the hospital’s remediation efforts confirmed to NBC News that it had sustained a ransomware attack.

Our industry has become all too familiar with such threats to its electronic infrastructure and protected patient information. The IT staffs in facilities throughout the country have ramped up their security counter-measures in recent years, but these kinds of recent incidents clearly demonstrate that either (a) these IT efforts involved only half-way measures, or (b) cyber actors are now able to defeat the best defenses. Perhaps, the answer lies somewhere in the middle.

Provide for the Common Defense

Despite these difficulties, there are things that hospitals can do to further bolster their defenses against the nefarious schemes of iniquitous actors. Security Management (SM) published this month a series of strategies that can be used by large organizations to mitigate cyber threats. The authors of the SM article stress that the basis for success in this area comes down to the individual. Employees will have to be the ones who ensure their entities are adequately protected. Yes, system management and automated processes are key, but it is the individual who will ultimately determine the success of these firewalls. Here are some of the highlights of the SM recommendations:

1. Leadership Messaging. There is no substitute for leadership. If the message concerning cyber-security is driven home to employees from on high and that message is consistent and pervasive, it will have a strong chance of permeating the culture of your organization. People will get the message because it is constantly being delivered. As a result, they are more likely to meet the requirements set before them. 
   
2. Train Your People. The messaging must go hand-in-hand with training the employee on how to go about securing vital systems and information.
   
3. Risk Assessment. The facility must engage in a series of regular and ongoing reviews that seek to identify where the current risks from hackers exist and should be based on the latest threats identified by the government and industry leaders. That means IT staff will have to keep abreast of the most recent tactics being employed by bad actors.
   

The task is daunting, but it is possible to better defend your hospital against ransomware and phishing attacks. Leaders at SM revealed that one entity recently implemented a security awareness training program for their employees, incorporating best practices, to include user-level visibility of employee risk and remediation. When first launched, the entity experienced a baseline 27 percent phishing failure rate across the company. Within 90 days, they were down to three percent. The conclusion: training and remediation can work when done right.

The American Hospital Association (AHA) has published several pieces of guidance that hospital CTOs should consider when designing a bulwark against current cyber threats. The following link will take you to a podcast that provides a summary of those recommendations: Cybersecurity | AHA.