After attacks on healthcare facilities, tech giants will help small hospitals with cyber defense

More devices than ever in hospitals require internet connections, everything from MRI machines and medical records to heart rate monitors. The latest and greatest equipment can speed up and improve patient care, but connection comes with risks.

“If you can’t afford protection, you can’t afford to get connected,” he said. Beau Woodscybersecurity expert and founder of Stratigos Security.

Keeping up with the latest cybersecurity tools can be expensive, but it’s crucial for hospitals large and small. They’ve recently become prime targets for malicious hackers because of the valuable patient data that can be sold or held for ransom.

These attacks on healthcare organizations can be financially crippling, but the costs could be higher. Federal reports and studies show that cyberattacks slow doctors’ ability to treat patients and can even force hospitals to refer patients elsewhere for treatment, delaying care and putting patients’ lives at risk in cases such as stroke.

Cyberattacks on US Healthcare Sector more than twice between 2022 and 2023, according to the Cyber Threat Intelligence Integration Center.

In February, Change Healthcare, a healthcare payment processing company, suffered a devastating attack. wreaked havoc by the United States

Pharmacies could not verify and fill prescriptions, and doctors could not bill insurers or check patient histories.

Andrew Witty, CEO of UnitedHealth Group, testifies at a Senate Finance Committee hearing on health care cyberattacks May 1, 2024, on Capitol Hill in Washington. Hackers attacked his company’s subsidiary, Change Healthcare, in February, causing massive disruptions to medical claims and payments. UnitedHealth Group ultimately paid a $22 million ransom in bitcoin, Witty said.

In May, a ransomware attack hit Ascension, a Catholic health care system with 140 hospitals in at least 10 states. Doctors and nurses working at Ascension reported medication errors and delays in obtaining laboratory test results that had a negative impact on patient care.

On June 10, the Biden administration announced several safeguards to enhance cybersecurity in healthcare.

Announcement included a plan for tech companies Google and Microsoft to offer various cybersecurity services for free or at discounted prices to hospitals that otherwise couldn’t afford the latest and greatest cyberdefenses.

Properly protecting against cyberattacks can be especially difficult for smaller hospitals.

“For several reasons: it is expensive, and finding IT specialists is associated with the same problems as recruiting people to work in rural communities,” he said. Bob OlsonPresident and CEO of the Montana Hospital Association.

Many advanced cybersecurity tools are reportedly designed primarily for larger hospital systems and cost at least six figures. Lee Kimcybersecurity expert Healthcare Information and Management Systems Society.

Only recently have IT companies started offering these products to medium and small hospitals, Kim added.

That’s why Kim and other cybersecurity experts say the recent White House announcement is significant and necessary. Google and Microsoft will offer a year of free security assessments and discounts of up to 75% on cybersecurity tools for small and rural hospitals.

“We will never be able to create a level playing field here, but we need to be able to provide at least a basic level of protection to keep our communities safe,” he said. Alan MorganDirector General of the National Rural Health Association.

Morgan helped broker the deal with the tech giants. While these services are temporary, he believes many hospitals will take advantage of them.

Others expressed concerns that the offer is only valid for a year. Without future support, small hospitals may once again have trouble paying for adequate cyber defenses, he said. Amie Stepanowiczexpert in Future of Privacy Forum

Stepanovich also would like to see the federal government provide more direct aid to hospitals after the attacks and more assistance with recovery.

She predicts that cyberattacks will continue to happen in hospitals large and small because a facility’s cyber defenses must be spot on at all times. “All an attacker needs is to find one vulnerability,” Stepanovich said.

Small hospitals are increasingly becoming targets of attacks.

Logan Health in Kalispell, Montana, has experienced multiple data breaches, decided the court case following a 2019 hacker attack on the data of hundreds of patients.

Data breaches were also reported at St. Vincent Hospital in Billings, Montana, and St. Patrick Hospital in Missoula, Montana.

The hospital in Gillette, Wyoming was forced to redirect patients to other hospitals in 2019 during a cyberattack because they could not be provided with appropriate treatment.

Beau Woods said attacks like those in Wyoming and other rural areas are dangerous because the nearest hospital can be 30 minutes or more than an hour away.

This puts patients with acute and life-threatening conditions, such as strokes or heart attacks, at greater risk of permanent damage and even death.

Woods helps run cyber attack simulations for suppliers by CyberMed Summita nonprofit organization focused on cybersecurity in the healthcare industry.

In a recent simulation, Arman Hussain, a resident physician at George Washington University, practiced treating two patients, one of whom had a stroke and the other a heart attack.

During the simulation, Hussain had to treat mannequins standing in for patients. Nurses and other staff members followed a set script, but Hussain didn’t know what problems he would encounter.

“In both of these scenarios, our ability to use a computer and some of our ability to use important monitoring software disappeared during the simulation,” he explained.

Hospitals have developed some workarounds for these situations. Doctors and nurses can take manual readings of pulse and blood pressure rather than relying on networked devices. They can use instant messaging to send written orders to a lab or pharmacy.

But other tasks, such as obtaining lab results or dispensing necessary medications, can be extremely difficult if the hospital processes that data through a downed computer system.

Ignorance of a patient’s allergies and the inability to access other relevant information in their digital health record can also lead to medical errors.

Every hospital should provide this type of training, Hussain said after the simulation. They should also create plans for cyberattacks so patients can get the life-saving care they need.

“Putting yourself in that situation raises a lot of different logistical questions that you would never think about if you weren’t in that situation,” Hussain said.

This article comes from NPR’s collaboration with the medical reporting department. MTPR AND KFF Health News.