Futility of Staff Training on Cybersecurity in Hospitals

Cybersecurity Concerns and Monetary Motivations

Cybersecurity has been a concern for many companies in different industries for a while now and the solution to this threat still appears to be far off. Some of the institutions that have been victims of cybercrimes include schools, banks, and other financial institutions. While some hackers perpetrated their actions purporting to do justice for those that cannot get such justice, the largest motivator has always been the potential monetary reward. For instance, by penetrating a banks security system, a hacker can manage to transfer some of the money to their account. On the other hand, where only information is stolen, the hackers hold on to such information and claim a monetary reward for its return. Recently, the healthcare industry has become of being interest to cybercriminals with the number of cyberattacks on hospitals continuing to increase (Rowe, 2010). Essentially, data stolen from a bank is likely to become redundant as soon as the breach is discovered. However, this is not a possibility for healthcare institution considering that some of the collected data could include personal identities for the patients and their corresponding medical histories. It has been estimated that at least one out of 13 patients will have their data compromised in the event that a cyber attack occurs. Unfortunately, the cyber attack threat on hospitals might just be beginning. This research will seek to show that no matter how much training workers are taken through regarding cyber awareness, this will not stop the cyber attacks on healthcare facilities.

The Futility of Staff Training on Cybersecurity in Hospitals

Cyber attacks come in various forms, but one of the most prevalent forms these attacks is the use of ransomware. Despite the fact that ransomware has been in use for over a decade, their popularity has only grown recently owing to the growing trend of cyber attacks on hospitals and other healthcare facilities (Wright et.al, 2016). Essentially, the malware is used to lock one’s computer denying them access to it until one pays a ransom demanded by the hacker. In attempts to avoid having the transactions traced to them, the hackers often demanded payment in bitcoins. Just to mention, bitcoin is a digital currency harness a decentralized technology known as blockchain (Nakamoto, 2008). What makes hospitals especially vulnerable is the fact that they heavily rely on updated information from patients records to provide healthcare. Inaccessibility of information such as directives for a surgery of a patient’s drug history could significantly derail the provision of healthcare. Considering this, hospitals, unlike other institutions are more likely to pay the demanded ransom for the sake of the patients.

The Need for Reinforced Firewalls and Network Security

One of the main reasons why training workers and creating awareness on cyber attacks and cybersecurity will not help prevent the cyber-attacks is the fact that such attacks are often executed remotely. For instance, one of the training points on cybersecurity would be effective password protection of user computers and safekeeping of such passwords. However, hackers can harness sophisticated software to gain access to the hospital mainframe allowing them to access all the information they need. Notably, the Hollywood Presbyterian Medical Center in Los Angeles suffered a cyber attack when its systems were taken hostage through the use of a ransomware known as Locky (O'Gorman, & McDonald, 2012). The computers were offline for over a week which resulted in inconveniences and derailment of effective healthcare provision in this facility. The systems only came back online after the hospital officials made a payment of $17,000 in bitcoin. The Methodist Hospital in Henderson suffered a similar attack which locked the healthcare providers from accessing patient files. Fortunately for Methodist hospital, they were able to restore the hospital's data from the backups thus they did not have to pay the ransom. The case of the Methodist hospital is, however, an isolated case considering that most of the hospitals an institution that has been hacked before need up suffering heavy monetary losses or losing a lot of critical data.

The Role of Network Security over Training Workers

As technology advances so do hacking skills and know-how. In fact, new powerful and more sophisticated technologies benefit the hackers significantly thus enabling cyberattacks. For instance, a few years ago, hackers would demand ransoms through wired transfers which made them vulnerable to being found out considering the possibility of following the transaction trail. However, the development of a much more sophisticated technology known as blockchain which supports digital currencies such as bitcoin helps solve the threat of tracing the transaction trail. For starters, the blockchain technology and by extension bitcoin is decentralized which means there is no central institution that can be questioned about the transaction. Additionally, making a bitcoin reverse is impossible since the blockchain technology is developed to only accommodate forward transactions without allowing for reversals. Considering this training the workers on cyber attacks would require that they are trained on every upcoming technology a practice that is virtually implausible. Additionally, the advancement in technology means that administrators now have to protect virtually everything accessible through the network including personnel information (Griggs & Gul, 2017).

Importance of Network Security and Outsourcing

Ransomware is said to have started in eastern Europe but its effectiveness has seen its popularity and application increase quite significantly. Notably, there has been a significant improvement in the scheme used by the attackers especially with the development of cryptware which enables the attacker to encrypt files on the victims’ computers with a private key that the attacker alone possesses. In as far as hackers are concerned, this development is quite remarkable since they can now do more than just lock a keyboard or a computer. In efforts to prevent the cyber attacks, the hospital can opt to incorporate access authentication as a control measure for patent data. By so doing, the number of persons accessing patient information would be limited make it simple to know who might have defaulted exposing the information to cyber attack. To reiterate, however, cyber attackers do not need to be present within the hospital premises to access the information they need more so when they can harness new and more sophisticated software to access such information remotely. As such, probably the best option would be looking into ways to reinforce firewalls to prevent remote access of hospital databases.

The Role of Tech Administrators in Network Security

Among other institutions, schools are some of the institutions that have had to contend with cyber attacks since earlier than the hospitals. According to Herold, (2017), one of the major reasons why vast student information has been lost through cyber-attacks is the negligence of the tech administrators. Essentially the tech administrators in schools within Texas and Arizona allegedly preferred to invest in user gadgets as opposed to improving network security. Considering this, it is clear that while hospital may opt to train the workers, such efforts would be futile if the central players in this case who are the tech administrators fail to make strategic and well thought out decisions. Moreover, training the workers might only be plausible the support team understands the gravity of cyber attacks and takes necessary precautions to secure the network. Herold, (2017) argues that securing the network would be a more optimal solution in the prevention of cyber attacks as opposed to training the workers.

The Ineffectiveness of Worker Training in Cybersecurity

The futility of creating awareness among the workers regarding the importance of cybersecurity and the gravity of cyber attacks is evidenced by major companies that have been hacked in the past despite having created awareness on this issue. Some of these companies include Target, Sony, LinkedIn, JPMorgan, Home Depot, Tesco, chipotle and most recently MT. Gox. it is quite imperative that these companies considering their tenure of existence and knowledge on cyber attacks would have been in a position to prevent these attacks if worker training was an effective approach. However, the fact that they got hacked nonetheless means that training is not the way to go in the prevention of cyber attacks. The recurring theme in all these cases, however, is the need to improve and reinforce network security especially considering the fact that these attacks are often perpetrated remotely (Durham, 2017).

Network Security and the Value of Health Data

Hooker & Pill, (2016) argue that most cyber attacks on companies target the CEOs by virtue of their wealth. However, some attacks target the company itself especially if the company has a record of exemplary financial performance. MT. Gox, for instance, was the largest cryptocurrency broker which made it a very lucrative target for the hackers. Looking at the hospitals, however, cyber attacks are not aimed at the wealth of the hospital or a particular patient by virtue of their social status. Instead, cyber attacks on the hospital are more like preying on the vulnerability of the hospitals considering their heavy reliance on the patient information in providing healthcare. According to Hooker & Pill, (2016), courts hardly support most cybersecurity cases considering the difficulty involved in proving the case to no reasonable doubt that a particular person hacked into the company’s system (Norris et.al, 2015 & Quinn, 2018)). Considering this, hospitals ought to consider more reliable options such as outsourcing network security experts considering the futility of worker training.

The Increasing Threat of Cybercrime in Healthcare

With more and more hospitals falling victims of cyber attacks, ransomware is quickly becoming a very lucrative operation at the expense of unsuspecting victims. In 2015, the FBI reported that the total amount of money paid by different entities to have their computers unlocked amounted to $24 million. As at 2016, that amount had increased to $1 billion. Going by this data, it is imperative data it is imperative to say that cybercrime has become an omnipresent threat that ought to be addressed by taking radical measures with regard to network security (Yan et.al, 2012). Considering that some tech-related companies such as Sony, Equifax, and Uber have fallen victim to these attacks despite their possible preparedness in this regard, it is clear that the ransoms paid are likely to continue increasing especially considering that hospitals are more vulnerable than these companies. The healthcare sector particularly finds itself in a rather serious predicament considering that health data is quite valuable. While it is estimated that a credit card sold by the hackers can fetch about 10 to 15 cents, a medical record can be sold for a price between $30 to $500. Unfortunately, even with the increase in cyber attacks on hospitals, some people still fail to realize that their health information is more valuable than their credit card. Through a health record, a hacker would be able to access a person insurance information, some financial information and even pharmaceutical information.

Conclusion

Erie County Medical Center is one of the health institutions that has suffered cyber attacks recently and its case if nothing else emphasizes that training workers and creating awareness about cyber attacks cannot help prevent such attacks. Hospital staffers could do nothing but stare at their black screen and a message that stated that they could be able to recover their information upon payment of 24 bitcoins, which was equivalent to about $30,000 at the time of the attack. The leadership in the hospital opted to shut down the computer system and the staffers had to then rely on rudimentary means to go about their duties until they could get back online safely. Normalcy was not restored until about 6 weeks later and in addition, it cost the hospital about $10 million in lost revenue and cost relating to the rebuilding of the network. Notably, Erie County suffered this attack even though it had recently conducted a risk assessment of cybersecurity. In terms of preparedness, the hospital would be rated above average. What this illustrates is that the hospital sought to invest more in network security as opposed to training workers on cybersecurity. Additionally, since the hackers tend to have the more superior technology, hospitals and other institutions ought to invest in research and development on more sophisticated network security measures.

References

Durham, K. (2017). Cybersecurity in The Healthcare Environment.

Griggs, G., & Gul, S. (2017, Summer). Cybersecurity threats: What retirement plan sponsors and fiduciaries need to know--and do. Journal of Pension Benefits: Issues in Administration, 24(4), 17-21.

Herold, B. (2017, November 28). Schools struggle to keep pace with hackings, other cyber threats. Retrieved from https://www.edweek.org/ew/articles/2017/11/29/schools-struggle-to-keep-pace-with-hackings.html

Hooker, M., & Pill, J. (2016). You've been hacked, and now you're being sued: The developing world of cybersecurity litigation. Florida Bar Journal, 90(7), 30-40.

Low, E. (2017, September 8). Equifax shares wither after hack of nearly 45% of u.s. population. Investor’s Business Daily, p. 19.

Nakamoto, S. (2008). Bitcoin: A peer-to-peer electronic cash system.

Norris, D., Joshi, A., & Finin, T. (2015, June). Cybersecurity challenges to American state and local governments. In 15th European Conference on eGovernment (pp. 196-202). Academic Conferences and Publishing Int. Ltd.

O'Gorman, G., & McDonald, G. (2012). Ransomware: A growing menace. Symantec Corporation.

Quinn, M. (2018). Hospitals Face Steep Cybersecurity Challenges with Less Government Help. Govtech.com. Retrieved 8 April 2018, from http://www.govtech.com/security/Hospitals-Face-Steep-Cybersecurity-Challenges-with-Less-Government-Help.html

Rowe, N. (2010, January). Towards reversible cyberattacks. In Proceedings of the 9th European Conference on Information Warfare and Security (pp. 261-267).

Wright, A., Aaron, S., & Bates, D. W. (2016). The Big Phish: Cyberattacks Against US Healthcare Systems.

Yan, Y., Qian, Y., Sharif, H., & Tipper, D. (2012). A survey on cybersecurity for smart grid communications. IEEE Communications Surveys and Tutorials, 14(4), 998-1010.