Eau Claire Leader-Telegram. September 5, 2023.
Editorial: An unwelcome wake-up call on cybersecurity
The cyberattack on the HSHS Medical Group’s networks should be a wake-up call to health care throughout the region. It’s a serious matter that must be taken into account by anyone who works in the industry.
The reality is that medical information is a tempting target for hackers. There’s a wealth of data, much of it private enough that knowing it makes an identity claim much more plausible. A successful hack grants access to names, birthdates, medical histories, residences, cell phone and other contact information, along with details people frequently wouldn’t want shared publicly.
This isn’t new. In 2021, the Association of American Medical Colleges warned about the risk. The article cited an October 2020 attack at the University of Vermont Medical Center. That one was a ransomware attack, one in which the perpetrators demand money in exchange for releasing the computers or networks.
According to the AAMC, the center didn’t hand over a ransom, but its electronic records and programs were down for almost a month. Patients had to be rescheduled or sent elsewhere. Even without the ransom, the attack is estimated to have cost the system $50 million, the bulk of it due to lost revenue.
We don’t know what kind of attack targeted the HSHS systems. The point stands, regardless. Hospitals and other health care systems are targets and they need to be prepared. That includes smaller locations like offices for doctors and dentists, among others. Basic security protocols, like being wary of what attachments you open, helps. It’s a first step. But anyone in the field needs to realize that the information entrusted to them by patients must be secured against online criminals.
There’s another need that kicks in once an attack is made. Be open about what happened, to the extent you can, and don’t try to hide it. Systems the size of HSHS, Mayo, or Marshfield involve too many patients to keep anything quiet long. People notice problems, and people talk.
Make sure your message lines up with reality. HSHS described this incident as “a temporary systemwide outage” for several days. That description may be accurate, but it also suggests a less serious event than a cyberattack that managed to take down phone lines, patient portals and other communications.
Don’t bury the message, either. Damond Boatwright, the system’s president and CEO, was featured in a video posted at 7 p.m. Friday. Releasing information on a Friday, particularly a Friday before a holiday weekend, has long been referred to as a news dump. It allows the people making the announcement to correctly claim they put out the information, but does so in such a way as to almost guarantee it will be overlooked.
That video was the first time HSHS admitted what everyone was fairly sure of: this was a cyberattack, not something like an accidentally-cut internet cable. While we understand why the announcement was delayed — it takes some time to be sure and you want to avoid unnecessary worries for patients — it again seemed like something that could, and should, have been conceded earlier.
Boatwright made one very important point in the video. “There will be information that we can’t share publicly, and that is so we can protect the security of our systems and the privacy of the patients and communities we serve,” he said. Acknowledging a distinction between what he could say and what needed to remain secure was a smart move.
This isn’t the reminder anyone, patients or health care providers, wanted. The scope isn’t yet clear, though we certainly hope it fell short of accessing patient records. The lesson is clear: health care providers are in online criminals’ crosshairs and need to be ready.