AAMI Promotes Proactive Approach to Healthcare Cybersecurity in Wake of Hospital Ransomware Attack

Contact: Gavin Stern, gstern@aami.org, 703-647-2781

The stunning news that a California hospital paid ransom to regain control of its computer systems after a malware attack serves as a stark reminder that healthcare facilities need to take a focused and strategic approach to cybersecurity—and AAMI has the resources to help.

This week, Hollywood Presbyterian Medical Center paid nearly $17,000 in ransom to take back access to its electronic records, including sensitive patient data, after a hacking attack that is now under investigation by the FBI. The network had been shut down for about a week, affecting everything from electronic health records to networked medical devices.

“The malware locks systems by encrypting files and demanding ransom to obtain the decryption key,” the hospital's chief executive, Allen Stefanek, said in a statement. “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this.”

Based on federal records, hundreds of cybersecurity breaches have been reported by healthcare institutions, including medical providers, insurers, and hospitals. This includes a Texas facility that went down for a week in early 2016 due to ransomware, and a Florida hospital that was the victim of a similar attack in September 2015, DOTmed reports.

“The best approach to cybersecurity, for both healthcare delivery organizations and device manufacturers, is a proactive one,” said Mary Logan, president of AAMI. “What we’ve heard from security experts time and time again is that you can’t add on cybersecurity after the fact, you have to build it in—to devices, systems, and the culture of an organization. If you don’t invest in protecting your network up front, you will pay for it later.”

AAMI has developed a number of resources to assist healthcare manufacturers and healthcare delivery organizations with identifying and mitigating cybersecurity issues:

• Horizons—Cybersecurity in Healthcare: What You Need to Know. This issue of Horizons addresses issues fundamental to cybersecurity, reports on key trends, and offers insights on protecting medical devices and technology from cyberthreats.
• ANSI/AAMI/IEC 80001-1.This national standard focuses on risk management for IT networks that incorporate medical devices. It defines responsibilities for medical device manufacturers, IT developers, and those engaged in installing, using, reconfiguring, maintaining, and decommissioning IT networks.
• BI&T cover story, "Is Your Patient Data Secure?." This article addresses cybersecurity threats hospitals face and highlights the role healthcare technology management professionals play in assessing risk and securing network architecture.
• FAQs for the Wireless Challenge in Healthcare. This complimentary resource is intended to help healthcare technology, information technology, and facilities management professionals understand how to best use, manage, and secure wireless technologies in healthcare settings.

AAMI (www.aami.org) is a nonprofit organization founded in 1967. It is a diverse community of more than 10,000 healthcare technology professionals united by one important mission—supporting the healthcare community in the development, management, and use of safe and effective health technology. AAMI is the primary source of consensus standards, both national and international, for the medical device industry, as well as practical information, support, and guidance for health technology and sterilization professionals.