Health Care Organizations: A Priority Target For Cybercriminals

CommonSpirit Health, the second-largest nonprofit hospital chain in the U.S., confirmed recently that an "IT security issue" had disrupted some of its facilities and required the rescheduling of some patient appointments.

The hospital issued a statement saying, "As a precautionary step, we have taken certain IT systems offline, which may include electronic health record and other systems." The statement also noted that facilities were "following existing protocols for system outages and taking steps to minimize the disruption."

CommonSpirit did not confirm the nature of the cybersecurity incident or say if patient information or health data was compromised.

CHI Health, a subsidiary of CommonSpirit based in Nebraska, reported system outages in its hospitals in Omaha. MercyOne Des Moines Medical Center shut down some IT systems, including electronic health records.

Following several high-profile cyberattacks, the U.S. government issued a warning in July 2022 that North Korea-backed hackers were infecting health care and public health sector organizations in the U.S. with ransomware. Carly Page "US hospital chain CommonSpirit Health says 'IT security issue' is disrupting services" (Oct. 05, 2022).

Commentary and Checklist

Health care organizations are particularly vulnerable to cyberattacks because of the sensitive information they store such as names, family names, social security numbers, payment methods, health histories. When cybercriminals get this information, they can steal identities, and cause financial difficulty for patients and the organization.

Here are some steps health care organizations can take to help prevent cyberattacks and breaches:

  • Assess your IT system from computers, personal devices, wearables, to smart technologies. Do this every few months because technology changes rapidly as do outside threats. Consider dividing the wireless network into separate small networks.?
  • Develop access levels. Not everyone needs to be able to access patient files, and those who do must follow strict protocols that limit use.?
  • Use encryption and multi-factor authentication.?
  • Back up data regularly and store it in a safe place.?
  • Train all employees. Human mistakes account for most breaches. Don't just tell them what to do and not do. Explain why and that their own employment information is also at risk. Train on topics like:
    • Physical security: never leave records or devices unattended
    • Phishing schemes through emails and texts
    • Protect passwords. Require use of long and strong ones.
    • Don't use public Wi-Fi
    • Use USB sticks with care?
  • Have a breach response plan and response team.
Finally, your opinion is important to us. Please complete the opinion survey:

What's New

Ask Jack: Home Office Data Security First Steps

Jack McCalmon offers some data security steps for home offices.?

Ask Jack: Should We Allow Employees To Play Games On Their Laptops?

An employer wants to keep employees happy. One idea is to allow employees to game during work breaks. Jack examines the cyber risks.

Ask Jack: If There Is No Evidence Of Data Being Stolen, Can I Still Be Held Responsible?

Jack McCalmon talks about the importance of not just post-breach exposures, but pre-breach exposures as well.