A recent malware attack against a network of pediatric offices in Massachusetts is further evidence that the cybersecurity programs at smaller health systems are a weak link.
The Pediatric Physicians' Organization at Boston Children's Hospital is still working to restore systems impacted by a malware attack earlier this week, according to a statement from Boston Children's Hospital Thursday.
PPOC is a network of more than 500 primary care pediatricians, nurse practitioners and physician assistants from across Massachusetts affiliated with Boston Children's Hospital. On Monday, news broke of a malware attack that forced some patients to reschedule appointments.
"Any time you're dealing with affiliated offices, you're dealing with smaller organizations that are not going to have the resources to have a comprehensive cybersecurity program," said Clyde Hewitt, executive advisor for healthcare cybersecurity company CynergisTek.
No impact on Boston Children's
According to a statement from Boston Children's about the malware attack, the PPOC IT infrastructure is distinct from the hospital's infrastructure and there was no impact to Boston Children's systems.
Once the incident was discovered, PPOC and Boston Children's IT teams quarantined the affected PPOC systems and secured unaffected systems, according to the statement. IT teams are "making progress to restore the systems," and affiliate offices are continuing to see patients, according to the statement.
This type of attack demonstrates how small provider organizations and health systems are often less equipped than larger health systems or hospitals to handle cybersecurity incidents, said CynergisTek's Hewitt.
Smaller health systems vulnerable to attack
Smaller physician practices are more vulnerable and often lack resources to build better cybersecurity programs, Hewitt said.
Healthcare in general is less secure than other organizations because the healthcare industry has historically underfunded security programs, according to Hewitt. That's starting to change, he said, as healthcare organizations devote more of their IT budget to security, inching near 6%. Still, that's significantly less than what industries such as banking and manufacturing spend on security, he said.
Security programs shouldn't focus just on technology, they should also focus on what to do in the absence of technology. Hewitt advised smaller healthcare organizations to create a cyber resilience plan that details how to continue to operate if systems go down -- even if that means resorting to a paper-based system.
"They should have a plan to function if there's not going to be any technology," he said. "As we rely more and more on technology, we forget that, 'Hey, maybe I need paper forms for downtime.' Or 'Maybe I need to make sure my staff knows how to document notes on a paper record instead of only using the computer.'"
David Chou, vice president and principal analyst at Silicon Valley-based advisory firm Constellation Research, agreed with Hewitt that smaller organizations often don't have the right tools in place for good cybersecurity. He described the malware attack that hit PPOC as "not surprising."
"Some of the smaller partners, or even affiliates, of these major academic medical centers, they just don't have the tool sets in place," he said. "And security … it will take a lot of investment to catch up."
Indeed, Chou questions whether larger organizations like Boston Children's should be held accountable for the security of affiliates that they work with closely and share patient data.
He believes it could be in the best interest of larger healthcare organizations to do so, as malware attacks like this one can damage their reputation and credibility.
"How can these bigger organizations help, or are they going to help, I think that's something to think about," he said.