An internet television program that explores the intersection of medicine and the law.

Risk Management Tips for Hospitals to Avoid Ransomware Attacks

By Tom Andre, VP of Information Services at Cooperative of American Physicians (CAP) to Risk Management

Description

What You Need to Know: Hospital Ransomware Attacks

Our guest on Healthcare Matters is Tom Andre, VP of Information Services at Cooperative of American Physicians (CAP). In part 5 of our What You Need to Know: Hospital Ransomware Attacks, we ask Mr. Andre for Risk Management tips for hospitals to avoid Ransomware attacks. This information is important in the wake of the numerous hospital malware attacks occurring all around the country, including the one against Hollywood Presbyterian Medical Center.

This is only one of the many questions we asked Mr. Andre about cyber security and how healthcare facilities can protect themselves. Check out all of them here:

  1. Explaining the Recent Ransomware Attacks on Hospitals
  2. Top Two Risks a Hospital Faces in a Malware Attack
  3. How Common are Ransomware Attacks on Hospitals?
  4. The Surprising Ways a Hospital can be Infected with Ransomware
  5. Risk Management Tips for Hospitals to Avoid Ransomware Attacks
  6. Should Hospitals Negotiate with Hackers if Hit with Ransomware?
  7. Protecting Patient Data During Hospital Ransomware Attacks
  8. Full Interview with Tom Andre: What You Need to Know: Hospital Ransomware Attacks

Transcript

Mike Matray: Okay. What are the risk management steps that a hospital or a large physician group should take to avoid this type of an attack, and how expensive is ongoing data security in the healthcare arena?

Tom Andre: Well, it’s not cheap for anybody. Some of the important things to do, you can’t really rely on cyber security on any one thing. The perpetrators, the criminals that are behind these attacks, for every piece of security software and equipment that you have, they probably have one that they’re working on and trying to defeat it.

So, it’s good to have what’s called a layered defense. In the case of phishing and social engineering, you should have a good email filtering product, span filtering product. That’s gonna catch some things. You want good anti-virus. That’s going to catch things, some things if people click on them.

There’s also a technology called endpoint protection which really controls what can be installed and will look for anomalous behavior on a computer. Most anti-virus software vendors have endpoint protection as an add-on product or some included with their products. That’s also good.

There’s also a technique called Application White Listing. Which, essentially, if you’re in an organization, you really know, for the most part, which computer applications people are supposed to be running. They should be running your EMR system, they should be running your re-conning software. They don’t need to be running iTunes.

So, what you can do with Application White Listing is create lists of what is acceptable to run, and it doesn’t allow anything else to run. So that if somebody clicks on something and it tries to install a software, the malware, it can stop it right in its tracks.