By Mike Kijewski, Medcrypt CEO
In May of this year, I was invited to visit the White House with a group of healthcare cybersecurity experts to discuss solutions to our nation’s healthcare cybersecurity crisis. We spoke with representatives from government agencies like the NSC, CISA, HHS, DHS, and others. What prompted the urgency of this meeting?
When I started working in this field in 2014, most people I talked to expressed skepticism that our healthcare system would become a target for hackers. But as the years progressed, we saw patients’ healthcare data sell for millions of dollars on the dark web. Then, we saw hospitals lose the ability to deliver care due to ransomware taking down their clinical networks. But March 2024’s Change Healthcare cyberattack saw U.S. healthcare providers no longer able to be paid for the services they delivered. Now this is serious!
Our delegation included representatives from industry trade groups, hospitals, big tech (thanks, Google!), and med tech. What became clear during our preparation meetings was that hospitals desperately want to improve the security of their networks. They really do. But hospital IT has become so complex that it’s virtually impossible to retroactively improve the security of these systems.
Much of the IT infrastructure they receive from their suppliers was designed for a world in which healthcare networks were not subject to constant cybersecurity attacks. Pair this with decades-old medical devices running legacy operating systems, and you have a network that is next to impossible to effectively defend.
I made the observation that an attacker getting access to my Gmail username and password may allow them to read my email, but it’s not going to allow the attacker to infect the central Gmail servers with ransomware. So why then is it that a nurse who clicks a phishing link and exposes his user credentials runs the risk of bringing down the entire hospital network? It’s because the systems that clinicians are logging into are not designed to be as secure as a web-facing system like Gmail. That’s our central problem.
So what can the government actually do to fix this problem? Do we really want the federal government going to a community hospital that was just the victim of a crime and fining them for not successfully securing a product they purchased from a third-party vendor? That doesn’t sound like the right intervention to me.
In my opinion, the best way for the government to improve the security of our nation’s healthcare system is for them to encourage and support the adoption of healthcare technologies that are built like Gmail: designed to be operated safely in a hostile environment. I’m looking forward to working with this delegation over the coming weeks to develop specific policy proposals describing how our government might best do this.
P.S. If you ever get to visit the White House, be sure to visit the secret gift shop in the basement!
For more on how Medcrypt can support your organization’s cybersecurity needs, visit us at medcrypt.com and contact us at info@medcrypt.com to get started.