Hospitals should only have to focus on saving lives; not on security

I know that the above statement will offend a lot of people, but before you all start flaming me, let me elaborate on this more and provide you with context as to why I would make such a statement. This past Sunday, I had to take my wife to the ER which resulted in her having to have emergency surgery, and for anyone who has ever been in a hospital with a loved one, knows that it is a very stressful time and our focus and that of the hospital staff is on doing what they can for the patient.

Whilst all of this was happening, there is a lot of “hurry up and wait” type situations and being curious of nature and as a former CTO/CISO, I looked around at all the technology in the hospital from the perspective of an adversary / cyber-criminal and there is a lot. I saw exposed network ports, unlocked and unmanned computers, many running outdated Operating Systems with just as outdated antivirus, shared credentials and numerous other things that would make any security person cringe. This is not a criticism of the hospitals IT or Security Staff, it is just an unfortunate reality of modern times with the rate of change in technology, interoperability of medical equipment and given the last couple of years with COVID, observations such as exposed network ports are due to makeshift solutions of having cameras in rooms to observe patients and minimize exposure.

When you consider this technology and the fact that the people using these systems are health care professionals whose first priority should be that of looking after the patient, it is obvious why in recent times we have seen an increase in cyber attacks on hospitals and other medical providers. A quick Google search will show you a list of attacks against hospitals such as “82% of Hospitals Experienced IoT Cyberattack in Past 18 Months” by Campus Safety and of those hospitals 34% were Ransomware and 33% paid it.

I am by no means saying that hospitals shouldn’t focus on security as they have access to Patient Health Information (PHI), but their primary focus should be on saving lives. I am very much a privacy and security advocate, but when you are being asked questions by the medical staff, you are an open book and whilst there was a split second thought that this is all going to be leaked, you tell them everything as in that situation your focus is on your loved one and you want to make sure that they have all the information that they need.

I grew up in the old school and I am by no means a Saint, but I have strong morals and principles. Criminals used to have their own moral code, hence the term “Honor among Thieves” and other variations of this such as “Prison Justice” which is directed at those who hurt children and woman. For those criminals who target hospitals and medical facilities you are affecting patients health and lives. For one second, think about this being someone you love in a hospital that you have taken offline and how you would feel if your family members suffered as a result?

I am sure that there is someone reading this who is saying that “they should spend more on security” or “they should hire better security people” or a multitude of other reasons, but hospitals are the same as schools, I would prefer that they put more money towards helping our society and the people in it than having to protect it from those with no morals or principles who would target those institutions. When we look at the skills and resources that are needed in the security space, there is already a shortage across the board and core services such as health care and schools are not able to compete with the likes of big tech companies in attracting top talent and the staff that I have met in these organizations are doing the best they can with the resources that they have. The simple fact of the matter is that it is easier to justify and get support for the latest medical technology that can detect cancer earlier or increase survival rates for treatment than a security product that can reduce the amount of phishing emails that get through. Even if we put this into monetary value, if a hospital puts a higher priority on security than saving lives it would be a front page scandal, it is a “Damned if you do, Damned if you don’t” scenario.

For the medical and support staff at St Luke’s Hospital Quezon City, that took such great care of my wife you are all hero’s in my book and even after a tough couple of years with COVID on top of your normal workload, you still had a smile and friendly disposition that makes you feel that everything is going to be okay.