New security guidelines released for hospitals
Published 9:30 pm Friday, May 26, 2017
New cybersecurity standards have improved the safety of patients at Suffolk hospitals and throughout the commonwealth.
The Virginia Hospital & Healthcare Association board of directors convened a cybersecurity task force to establish guidelines against cyber-attack vulnerabilities for the 107 hospitals and 30 health delivery systems that are part of the association.
“This type of coordinated effort among the entire Virginia hospital community is crucial to prevent, detect and responsibly respond to the emerging frequency and severity of modern cyber-attacks,” Dan Bowden, Sentara Healthcare vice president, chief information security officer and task force participant, wrote in an email.
The task force finalized the guidelines this spring, prior to a global ransomware attack earlier this May that hit at least 150 countries and 200,000 machines. The WannaCry ransomware attack targeted computers running Microsoft Windows operating systems, encrypting computer data and demanding payment for access.
Medical facilities and devices in the United States were among the victims, along with 48 hospital trusts in the United Kingdom.
“For all the convenience and enhanced productivity that technology provides, it is an unfortunate reality of modern life that digital criminals are lurking online to turn technology against us for their own nefarious purposes,” VHHA President and CEO Sean T. Connaughton stated in the press release. “The hospital community is one of many industries around the globe that is well aware of these threats.”
Bon Secours spokeswoman Lynne Zultanky confirmed that Bon Secours Health System was not affected by the recent ransomware attacks. Per the guidelines, a risk response team with staff in Virginia and other states monitors their internal systems for the most recent cybersecurity threats.
“We continue to focus on ensuring that all security patches are up to date, and we continue to ensure that our staff remains diligent in keeping our internal systems safe,” Zultanky said in an email.
According to the Identity Theft Resource Center, there have been 676 data breaches in the United States this year as of May 23, with more than 10 million records exposed. More than 20 percent of those breaches have been in the health care sector.
In January, Sentara announced it had discovered in November that one of its third-party vendors suffered a cybersecurity incident. This breach impacted the records of 5,454 patients seen between 2012 and 2015 at Virginia Sentara hospitals, including patient names, Social Security numbers and demographic information.
Bowden said Sentara’s systems were not affected by the ransomware, but that their cybersecurity personnel remain vigilant.
“Due to the rapidly evolving nature of this threat and as more is learned about the malware on an almost hourly basis, we will continue to take appropriate measures to ensure that our systems remain secure,” he said.
According to the press release, the task force introduced nearly two dozen recommendations earlier this spring.
These guidelines require the education of all hospital personnel on safe use of computer systems. They also require automatic prevention plans integrated into security protocols, and well-planned contingencies in the event of a security breach.
“In Virginia, our hospitals and health systems remain on guard against potential breaches,” Connaughton said. “Our members have done that by advocating for new laws to toughen criminal penalties for cyberattacks targeting health care records, and by working collaboratively to prepare the new cybersecurity guidelines.”
VHHA advocated for legislation during the 2017 General Assembly that would make it a Class 5 felony to deny users access to their data using ransomware.
“Although the legislation (HB 2288 and SB 1090) did not advance during the 2017 session, VHHA and its members continue to work to protect the integrity of electronic health care records for the good of our health care system and patients,” the press release said.