Changing the cybersecurity culture

Ransomware and malware attacks continue to plague hospitals and institutions, scoring frequent and disruptive hits. Internal data breaches are commonplace. Risk-laden network links with external agencies and partners abound. Security weak spots are discovered in legacy systems and new applications alike. Clinicians working around medical device security protocols expose chinks of vulnerability in the IoMT.

Anyone building a picture of the state of cybersecurity in healthcare globally would struggle to find encouragement for the beleaguered hospital CIO, with many organisations apparently unable to break out of a reactive cycle and shift to more proactive defence strategies.

Bold statistics do little to improve the anecdotal picture. In April, the U.S. Department of Health and Human Services reported 44 healthcare data breaches for the month, a record. The fact that the number of individuals affected fell by 29% from 963,794 to 686,953 compared with March was not exactly grounds for optimism, given the potential scale of the impact.

Cyber risk and privacy management specialist IT Governance publishes a monthly blog of data breaches reported worldwide. The healthcare sector is well-represented and while these lists are a litany of phishing, ransomware and distributed denial-of-service (DDoS) attacks, they are also peppered with more banal cybersecurity failures that hint at the cultural challenge of managing risk in many institutions. These range from unauthorised employees accessing patient records to coding errors that unwittingly expose records.