agsandrew - Fotolia

Tech to protect against ransomware, ensure hospital data security

Hospital data security is at the forefront of everyone's minds in health IT, especially with the increase in ransomware attacks. Two CIOs discuss the essential technology.

With the increase in ransomware attacks, hospital data security is at the forefront of many healthcare CIOs' minds. And many agree that doing everything possible to maintain hospital data security and therefore avoid having no choice but to pay a ransom should a hospital be attacked is the ideal course of action.

Keith Jennings, CIO at Mass General Hospital in Boston, and Andrew Rosenberg, M.D., interim CIO at the University of Michigan Health System in Ann Arbor, share pointers on what can be done to protect against a healthcare ransomware attack and improve hospital data security.

What technologies should hospitals and health systems be using to ward off ransomware attacks and ensure hospital data security?

Keith Jennings: It has to be an array and depth, right? So all of your PC devices need virus checking [and] scanning software. All of your servers need virus checking software. A real component here is you have to stay current on your [scanner software], whether it's Microsoft or Unix or whatever versions you are [on], because vulnerabilities come in even with scanner software. So you've got to keep everything current and keep them with the proper antivirus, antispam [and] other activities. And then ... we're spending more time on ... cleaning a virus that gets your PC. What you really want to do is stop it from getting there, and so now you have to spend some time at your firewall and at your email gateways, and you really want to try and strip out as much of these things, keep them from getting in as opposed to curing them when they're done. So we're spending more and more time on the edge to try and stop them from coming in.

Keith Jennings, CIO Mass General Hospital
Keith Jennings

And then an emerging area for us is everyone's walking around with a cell phone, and for a very long time, there weren't too many viruses coming in there, but ... I think that's going to be the next growth area in viruses and antivirus protection because everyone has them. And as the devices get smarter, they're no longer a smartphone, they're a small computer. [You] need to look at those activities, and you really have to use things like mobile device management tools and other things to try to start locking those things down -- or at least compartmentalize your secure data. So anything a user might use that's of a personal nature is very separate from your key clinical or administrative data.

Andrew Rosenberg: So what we're doing, like I think more than other organizations, is that we are recognizing that investments in cybersecurity and in information assurance and in identity management and hardening ... our shell, but also being more knowledgeable about how internal maleficence, internal attacks, can also be damaging is now part of healthcare, certainly part of health information technology. And I would say that, equally, the ability to respond and recover the entire framework of how we think about cybersecurity is increasingly important [to protect against healthcare ransomware attacks].

Andrew Rosenberg, CIO at the University of Michigan Health SystemAndrew Rosenberg

Many people in healthcare will resonate around the idea that we've done fire drills, and we've done all sorts of mandatories that people feel are of questionable value, but most places probably have not done one -- let alone multiple -- drills around cyberevents, oftentimes that start in a way that you're not sure of what's going on. And the ability to respond and then recover are all part of that overall framework.

We're spending a lot more time at the University of Michigan, for example, doing that. Not just doing it with the health system, by the way, not just doing it within the hospitals and clinics but actually as part of the overall organization. And I think that's another part that is frequently missed, ... cybersecurity response and recovery. The entire framework of that really should be part of that overall organization, not just that one specific entity that's trying to increase its defense and its ability to recover. ... What's more important is that we spend that much more time preventing, detecting and then planning our response and recovery, including the ability to recover from the event with backup information and backup systems.

To not have things backed up these days in healthcare seems to me to be an inadequate planning for healthcare IT, and so I think that part of this discussion around cybersecurity has to be how ... cybersecurity [is] part of the broader incident management and disaster plans, whether they're physical disasters like the hospital in the Midwest that was destroyed by a tornado or hospitals that have flooding events or hospitals that have power outages or maleficence. These all have to be part of a robust response to provide the security and reliability and recovery of health information now that it's digital.

Next Steps

Cybersecurity can help preserve the patient-provider relationship

A cybersecurity expert talks health data

A CIO says network monitoring is essential to cybersecurity

Dig Deeper on Electronic health records privacy compliance