Extortion increasingly is the motive behind cyberattacks of healthcare companies, a panel of experts told a luncheon audience of the Nashville Health Care Council.
The evolution from worms and viruses to large-scale breaches aimed at exposing clients and extracting ransoms should put every employee of a healthcare organization on high alert, said Paul Connelly, vice president and chief information security officer at hospital giant HCA Holdings and a former chief information security officer at the White House. Having a chief information officer isn't enough, he said.
Companies have to train employees to protect data through practical steps, added Mark Sullivan, principal and co-founder of security consulting firm GSIS and former director at the U.S. Secret Service. That includes securing laptops, which are susceptible to theft, and remembering that unauthorized thumb drives and phishing emails can make weaken an entire organization.
Cybersecurity is every bit “a people challenge,” Sullivan said.
Joining Connelly and Sullivan on the panel were Samar Ali, attorney with Bass, Berry & Sims and Noah Kroloff, Sullivan's co-founding partner of GSIS and former chief of staff of the U.S. Department of Homeland Security.
Sullivan said hospitals are increasingly vulnerable to ransomware attacks during which hackers implant software code that completely shuts down a system. The criminals then ask for a ransom to reopen the system.
In March, the networks of two Prime Healthcare Services hospitals in Southern California were hit by such an attack, but a system spokesman said patient records weren't compromised and the system refused to pay ransom.. The hospitals disrupted were Desert Valley Hospital in Victorville and Chino Valley Medical Center in Chino.
He said to avoid disruption to services, healthcare companies should consider having a backup system. That's especially important for hospitals and other providers.
Ali said it also is important for healthcare companies to have processes and a chain of command in the event of a data breach.
The natural inclination is to call law enforcement to report the breach. But the first call should be to a company's general counsel and possibly outside counsel so that a legal team can determine what should be reported, she said.
By having a chain of command, the optimal information can be shared with authorities to minimize the damage done to patients, clients and the company, she said.
Kroloff said healthcare companies should seek advice from experts outside of healthcare as they form and refine their cybersecurity plans. The financial services sector, for example, is years ahead of healthcare because customers and regulators have demanded it.
Ali said every company has unique data priorities and challenges so cybersecurity should be customized.
“There is no one silver bullet,” she said.