Healthcare cybersecurity under attack: How the pandemic affected rural hospitals
Ever since it started, the pandemic has greatly affected the overall threat landscape, with different organizations falling victims to cyberattacks. Understandably, those who had been hit the most were the healthcare organizations. The change in their workflow has created new vulnerabilities and enhanced old ones, making tham an easy target for cybercriminals. Large institutions somehow managed to keep afloat, but what about small rural hospitals?
In this interview with Help Net Security, Baha Zeidan, CEO at Azalea Health, talks about how rural hospitals have been affected by the pandemic and what steps they should take to boost their cybersecurity posture.
These are trying times for all organizations, but especially hard for the healthcare sector. How has the pandemic affected rural hospitals in particular and what could the long-term repercussions be?
Rural hospitals often lack access to the same resources enjoyed by larger hospitals, and many were already running on razor-thin margins and lean staffing before the pandemic. Of the roughly 1,800 rural hospitals in the US, 25% were at immediate risk of closing due to financial pressure in early 2020. With many forced to cancel or postpone revenue-generating elective procedures, the pandemic has been devastating financially.
What’s more, while urban and suburban hospitals were able to switch to telehealth to see many of their patients, rural areas face broadband coverage gaps that make telehealth inaccessible. Many rural hospitals also face staffing shortages that can make it difficult to manage patient volumes in a surge.
We will continue to see the effects the pandemic has had on rural hospitals in the long run. In some ways, the long-term impact will be good — even though they’re behind on the curve, the pandemic has been a catalyst for rural hospitals to adopt new, cloud-based technology to improve their revenue cycles and lower their IT maintenance costs.
The pandemic also brought attention to gaps in broadband coverage, which will hopefully be rectified by the Infrastructure Bill pending in Congress. If broadband coverage expands, then telehealth will be a lot more valuable for rural communities moving forward, especially if regulatory barriers that were waived during the pandemic don’t return.
In other ways, however, the negative impact of the pandemic on rural hospitals will be long lasting and painful. Nearly 900 rural hospitals (40% of all rural hospitals in the US) are either at immediate risk or high risk of closing. These hospitals need help, and their communities depend on it. Rural communities also have higher proportions of vulnerable patients — the elderly and the chronically ill — that are at higher risk of having long-term complications from COVID-19.
What differentiates large hospitals from rural ones when it comes to cybersecurity? What can be done to overcome the hurdles?
Due to lack of capital, clinician shortages and suboptimal revenue cycle, many rural hospitals struggle to leverage the same technology as their larger counterparts. This has put them on the unfortunate side of the digital divide for a long time, and the pandemic only worsened that gap. This extends to cybersecurity. Small rural hospitals often don’t have the money to hire full-time cybersecurity staff to keep their systems secure. Without security staff, they may not be aware of the latest security updates from their IT providers or have the ability to implement them.
With that said, there are steps rural hospitals can take to stay secure. First and foremost, rural hospitals should partner with technology vendors that put security first. Cloud-based IT solutions have the advantage of updating automatically, eliminating the need for an IT specialist or consultant to install updates manually. Rural hospitals should also incorporate regular education and training to both staff and their patients: 95% of security breaches are due to human error.
What is the strategy rural hospitals should implement to better secure their digital assets without interrupting their workflow?
The key is to invest in IT solutions that put cybersecurity at the forefront of their technology. The reality is that most rural hospitals don’t have the staff or resources to keep up with the latest cybersecurity protections, so outsourcing those responsibilities to their technology providers can keep clinicians focused on their patient care workflows.
Do rural hospitals need specific technology or is a one-size-fits-all solution enough?
Every rural hospital is different, so no, there’s no one-size-fits-all solution for all of them. That said, using disparate IT solutions can create openings for attackers if they aren’t integrated and interoperating securely. The more integrated their IT solutions are — EHR, revenue cycle management software, telehealth, etc. — the fewer attack points there will be.
Another important consideration for rural hospitals is to make sure their IT solutions can be customized and adapted to their workflows. EHR solutions in particular have a reputation for poor usability, and the more clicking clinicians have to do, the less time they have with their patients. Customizing EHR workflows can help clinicians work more efficiently.
Whether big or small, hospitals must meet regulatory requirements. Why do you think this is a harder task for rural hospitals?
Larger hospitals tend to have more advanced capabilities in use with their EHR (55.5% of hospitals with less than 400 beds) v. smaller (33.7% with over 100 beds), however smaller hospitals still must meet the same regulatory requirements. New regulations, such as the Promoting Interoperability reporting requirements, can be difficult to keep up with for smaller hospitals, who often have staffing shortages.
Without dedicated IT resources, smaller hospitals may not know or fully comprehend what software capabilities they need to have in place to meet these requirements. Software vendors can support hospitals by providing training and consultants to help clients understand the regulatory requirements and how to meet them with their software.