By Jeff Wardon, Jr., Assistant Editor

Cyberattacks and data breaches alike continue to affect healthcare facilities. Daily, new vulnerabilities and exploits are found within healthcare systems. All this is in an effort to access sensitive and valuable data, then extract it and potentially sell it off. Cybersecurity is the line of defense guarding against these unauthorized parties obtaining the data they want.  

Given this, the U.S. government named the month of October “Cybersecurity Awareness Month” to emphasize the importance of cybersecurity programs and initiatives. With healthcare undergoing changes in its information technology infrastructures, being cybersecurity-aware is critical to this process. 

This is due to healthcare facilities becoming more integrated with interconnected information technologies, such as Internet of Things (IoT) devices and building automation systems (BAS). These devices, if not protected, can provide an open door for cyber-attackers. And, if these devices are breached, then patient data becomes exposed and ripe for the taking. 

“All of the devices these days are increasingly connected and reading data into some database elsewhere,” says Nilesh Chandra, U.S. healthcare analytics lead at PA Consulting. “The number of systems involved adds to the complexity because the data is flowing all over the place into lots of different systems and you need to secure all of them.” 

Another vulnerability Chandra mentions is larger machines that do things such as imaging because they can be running on closed-off computers that may not be up to date with the latest security patches. Chandra adds that these computers run on a completely different internal network that is not connected to the public internet whatsoever. If one of these is plugged into an external-facing network, a large vulnerability is introduced to the entire healthcare facility’s network.  

With vulnerabilities such as these introduced to a network, unauthorized parties can find potential avenues for access, thus leading to a breach. When a breach or related cyberattack happens, it can even cause a healthcare facility to shut down completely.  

“If that happens, all the patient related information is stored on these systems that are down,” says Chandra. “Doctors and nurses are suddenly left in a position of making life and death decisions without access to the right information. The potential for all kinds of harm happening to patients just goes up very, very significantly. That is the real impact of these cybersecurity breaches.” 

However, shutting down is not the only concern that healthcare facilities face with data breaches. Unlike many other industries, healthcare facilities must answer to the overarching regulatory framework of the Health Insurance Portability and Accountability Act (HIPAA), according to Chandra. If patient data is compromised, healthcare organizations may be held liable and face legal challenges. 

To defend against these breaches and their ramifications, Chandra recommends having a multi-layered security architecture that partitions information. This is so that if at any point a security compromise were to crop up, the threat could be minimized quickly. Chandra also stresses that early detection of these breaches or attacks is paramount to containing them. That way, the affected part of the infrastructure is sectioned off while the rest of a facility’s operations can resume. 

Jeff Wardon, Jr. is the assistant editor for the facilities market.