A survey released in early September from Proofpoint, Inc., and the Ponemon Institute, on cybersecurity in health care raises important issues but appears to have a number of significant limitations. First, it is not a study or report of medical data. It is a survey of health care IT personnel.

Because it is not a study of patient outcomes, the survey does not appear sufficient to support the headline in Proofpoint's press release that "Cyberattacks Cause More Than Twenty Percent of Impacted Healthcare Organizations to Experience Increased Mortality Rates." While cyberattacks on hospitals and health systems are certainly a significant risk – as they are in any field or business – because they can disrupt care delivery, there appears to be no reliable empirical evidence that demonstrates these attacks are the cause of increased mortality rates.

Another questionable assertion by Proofpoint is that "cybersecurity remains a low priority" in the health care sector. I can assure you the hospital leaders I talk to each day view cyber risk as a significant risk to their organization. They routinely devote significant resources to shore up cyber technical defenses, increase cybersecurity budgets, and train all staff to spot phishing emails that might contain malware, or worse, ransomware. Hospitals also use layers of technical defenses to deflect and detect network intrusions such as multi-factor authentication, network segmentation, endpoint protection tools and enhanced backup and recovery capabilities and procedures. Thus, to imply that all hospitals that become victims of a cyberattack are presumptively negligent in some manner, is simply inaccurate. It also fails to reflect the reality that no organization is completely immune from cyberattacks, regardless of the number of resources devoted to cybersecurity. This includes the federal government and cybersecurity firms.

I routinely receive calls to conduct C-suite cyber tabletop exercises and to provide guidance on developing cyber incident response plans and downtime procedures, which help prepare hospitals to get through the digital darkness should a ransomware attack happen. The AHA also has engaged in more robust cyber threat information sharing relationships with the FBI and other agencies in order to assist the hospital field with increasing the defenses needed to better fend off cyberattacks.

Yet even with all that, there are inherent limitations that affect every field or business. Any winning solution to this national security threat also must include combined and coordinated actions by the U.S. government and our allies. The U.S. government should continue on its path of utilizing all elements of national power to increase risk and consequences for these foreign-based cyber adversaries, who threaten American citizens’ data and pose a direct threat to U.S. public health and safety.

That’s why although the findings of the Proofpoint and Ponemon survey may warrant further review, it does not appropriately reflect the importance most hospitals place on cybersecurity. And a headline that fails to reflect the importance hospitals place on cybersecurity does a disservice to our nation’s hospitals and our front-line heroes who sacrificed so much during the pandemic and are continually working to deliver quality care to patients, protect their data and serve their communities.

Related News Articles

Headline
AHA yesterday thanked Reps. Jason Crow, D-Colo., and Brian Fitzpatrick, R-Pa., for introducing a House companion to the Healthcare Cybersecurity Act (S.3904/H.…
Headline
The communications protocol for the Medtronic MiniMed 600 Series Insulin Pump System could allow an unauthorized person to access the pump to deliver too much…
Headline
The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) yesterday alerted the sector to a monkeypox-themed phishing…
Headline
Cyber criminals are increasingly targeting health care payment processors to redirect payments intended for health care providers to accounts they control,…
Headline
The FBI yesterday charged three Iranian nationals with allegedly orchestrating a scheme to hack into the computer networks of multiple U.S. victims,…
Headline
The FBI today released recommendations to help protect medical devices from cyberattacks that can threaten health care operations, patient safety, and…