Regional Hospital Cybersecurity: Practical Defenses

Regional hospitals are particularly vulnerable as cyberattacks on healthcare institutions become more frequent and sophisticated. Cybercriminals increasingly target these facilities due to their wealth of sensitive patient data and often limited cybersecurity resources.

In a recent webinar hosted by EDGE Solutions & Consulting, industry experts Brent Houk, Director of Cybersecurity, and Michael Archuleta, CIO of Mt. San Rafael Hospital and Clinics, shared insights on the challenges hospitals face and practical steps they can take to bolster their cybersecurity defenses. Here, we summarize the key points from the discussion and provide actionable advice to help hospitals strengthen their security posture.

The Growing Cyberthreat Landscape for Regional Hospitals

Cyberattacks on healthcare organizations have skyrocketed in recent years. According to a Ponemon Institute report, 88% of healthcare organizations experienced at least one cyberattack in the past year, with the average number of attacks being 40. The consequences of these attacks are severe, ranging from operational disruptions to direct impacts on patient care.

Regional hospitals, in particular, are prime targets for cybercriminals. They often lack the extensive cybersecurity resources available to larger institutions, making them more vulnerable to ransomware, phishing attacks, and supply chain threats. The webinar highlighted the most common types of attacks facing hospitals:

• Ransomware: This malicious software blocks computer system access until money is paid and remains one of the most damaging forms of cyberattacks. In 68% of ransomware incidents, patient care is directly affected, leading to procedure delays and extended hospital stays.
• Phishing and business email compromise (BEC): Attackers use phishing emails to gain unauthorized access to hospital systems. BEC attacks can disrupt patient care, with 69% of affected hospitals reporting delays in treatments and tests.
• Supply chain attacks: Cybercriminals increasingly target hospitals through third-party vendors, with 77% of supply chain attacks causing severe disruptions in patient care.

Given these rising threats, hospitals must proactively defend their systems and safeguard patient care.

Impact on Patient Care

One of the most significant consequences of cyberattacks on regional hospitals is the disruption of patient care. Cyberattacks are not just technical challenges but direct threats to patient safety.

The Ascension Hospital ransomware attack, discussed during the webinar, is a real-world example of how devastating such attacks can be.

On May 8, 2024, Ascension Hospital faced a crippling ransomware attack that encrypted critical patient data, forcing the hospital to revert to manual processes. Emergency services were delayed, medication errors increased, and lab results were lost. This attack underscored the urgent need for hospitals to strengthen their cybersecurity measures to protect their systems and patients.

Practical Cybersecurity Strategies for Regional Hospitals

During the ​​webinar, Houk and Archuleta emphasized that while the threat landscape may seem overwhelming, regional hospitals can take several practical steps to improve their cybersecurity posture.

1. Conduct comprehensive risk assessments: Hospitals should start by identifying potential vulnerabilities in their systems and assessing the risk level.Hospitals can focus their limited resources on addressing critical security gaps by prioritizing the most severe risks. Align risk assessment with HIPAA and Health Industry Cybersecurity Practices (HICP) guidelines.
2. Implement multi-factor authentication (MFA): MFA adds an extra layer of security by requiring users to provide two or more verification forms to access hospital systems. Even if a password is compromised, MFA markedly reduces the likelihood of unauthorized access. Hospitals should implement MFA across all critical accounts and systems. According to Verizon’s Data Breach Report, MFA can prevent about 96% of bulk phishing attacks and about 76% of targeted attacks from compromising accounts.
3. Encrypt data at rest and in transit: Encryption protects sensitive patient data. Hospitals should ensure that all patient information is encrypted when stored on servers or devices (data at rest) and transmitted over networks (data in transit). Strong encryption standards like AES-256 for data at rest and TLS for data in transit can help mitigate the impact of data breaches.
4. Conduct regular phishing simulations and security training: Employees are the first line of defense against cyberattacks. Regular phishing simulations can help staff identify and avoid phishing attempts, reducing the risk of a successful attack. Additionally, continuous security awareness training ensures employees stay informed about the latest threats and best practices for keeping hospital systems secure. Recognize and reward employees when they exhibit security conscientious behaviors.
5. Develop and test an incident response plan: Every hospital should have a comprehensive incident response plan that outlines how to respond to various types of cyberattacks. The plan should be regularly updated and tested through drills to confirm that all staff members can react quickly and effectively during a cyberattack. Including third-party vendors in the plan is also critical, as they are often a point of vulnerability. Be sure to account for how to maintain the integrity of patient care while systems are unavailable.
6. Use advanced monitoring tools: Technologies like Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) can provide hospitals real-time visibility into their networks. SIEM systems allow hospitals to monitor and analyze security events, helping them detect and respond to threats more quickly. EDR tools continuously monitor devices connected to the hospital’s network, identifying potential security incidents before they escalate.
7. Network segmentation: Network segmentation involves dividing a hospital’s network into distinct zones, ensuring that even if one part of the network is compromised, the attacker cannot move laterally to other systems. For example, patient management systems should be isolated from guest Wi-Fi or administrative networks. Apply network segmentation to FDA-approved systems and any systems running unsupported legacy operating systems.

Addressing Compliance and Regulatory Requirements

In addition to technical defenses, hospitals must also navigate a complex regulatory landscape, including compliance with laws like HIPAA and HITECH. Non-compliance can result in severe financial penalties, legal consequences, and damage to the hospital’s reputation. Hospitals should regularly audit their security practices to make sure they meet regulatory standards and avoid costly penalties.

Final Thoughts: Preparing for the Future

Regional hospitals must be proactive as the frequency and complexity of cyberattacks on healthcare organizations continue to rise. By adopting a layered defense strategy, regularly training employees, implementing advanced monitoring tools, and maintaining compliance with regulatory standards, hospitals can reduce their risk of falling victim to cyberattacks.

The webinar’s key takeaway is that healthcare cybersecurity is not just about protecting systems-it’s about protecting patients. By prioritizing cybersecurity, hospitals can ensure they are safeguarding their operations and their patients’ well-being.

Related Content:

Battling Cyber Threats: Regional Hospitals are Under Siege & Fighting Back