Nowhere else is the link between cybersecurity and personal safety more apparent than in healthcare. As health providers integrate computers into more and more patient care operations, cyberattacks that target these systems have a direct impact on citizens’ health. The threat is not hypothetical. Hackers are already targeting hospitals across the country.

Cyberattacks pose a critical risk to the health care industry for three primary reasons:

From Paper to Computers: The transition from paper record-keeping to electronic records—often mandated by laws that do not require strong security measures—has exposed sensitive personal data to malicious hackers, while also boosting the number of attack points;

Connected Devices: Medical facilities increasingly integrate computing technology into critical medical devices, many of which lack internal security measures; and

Culture: Many medical practitioners view cybersecurity as an impediment to patient care, which often depends on seamless processes and convenience.

This Is Not Hypothetical: Ransomware Attacks

In May 2017, a computer virus known as WannaCry infected hundreds of thousands of computers across the globe with ransomware, encrypting systems so they became unusable. Dozens of hospitals across the United Kingdom were affected; some were forced to turn away patients at the door. While the global span of WannaCry attracted significant media attention, it has overshadowed a constant stream of ransomware attacks on hospitals across the United States. These have forced many healthcare facilities to pay small ransoms, or lose access to critical medical systems.

What Are Key Questions Governors Should Ask?
  • Which state agency is tasked with assisting health providers who are under cyberattack?
  • Do my cybersecurity advisors have a relationship with smaller patient care facilities?
  • How does my state currently regulate the healthcare sector, from insurers to hospitals?
What Can Governors Do?
  • Task a senior advisor, agency or commission to count the number of dedicated IT staff at all in-state healthcare facilities. Some major hospitals and health insurers devote significant attention to reducing cyber risk, but many smaller facilities lack any dedicated IT office. Constructing an accurate picture of the health industry’s IT will aid in planning how the state can provide cyber assistance most efficiently.
  • Promote improved cybersecurity informationsharing with health care providers. Many health care institutions do not receive cyber threat intelligence. The state fusion center is an existing hub for cyber threat intelligence and should include health care providers as recipients of relevant cyber threat intelligence. A dedicated state information sharing and analysis organization could ensure that relevant information reaches all corners of the state’s health care sector, sharing signatures of ongoing attacks with potential targets. Fusion centers and ISAOs can anonymize threat intelligence to reassure companies concerned that information sharing could publicize embarrassing news of data breaches prematurely.
  • Raise cybersecurity awareness among medical personnel. Governors should task cybersecurity advisors and law enforcement agencies with providing briefings to patient care staff, as well as delivering key cybersecurity resources on best practices and cyber hygiene.