Skip to main content

How vulnerable is health care cybersecurity?

A black female patient reviews results with her doctor on a tablet. Mark Jarrett, MD, explains why health care cybersecurity deemed to be in critical condition

While large health systems field strong IT teams to combat threats, health care can still be attacked through various methods

Late last month, the US Federal & Drug Administration warned patients and health care providers that certain Medtronic MiniMed insulin pumps were recalled because of potential cybersecurity risks, leaving 4,000 known diabetes patients in the US susceptible to having their information stolen or, even worse, dosage changed.

Wireless communication was cited as the reason for the threat, which is indicative of the days we live in, where wireless connectivity controls virtually everything in daily activities and in almost all industries, including finance and health care.

So how vulnerable is health care cybersecurity?

The stark truth is that we are very vulnerable, enough that the Health Care Industry Cybersecurity Task Force referred to the current situation as “critical.” There is no perfect world — the black hats keep working when the white hats figure how to stop the last threat. What used to take hackers thousands of hours to break into now only takes three hours. Unless everyone we are working with — and connecting to — is properly secured, there will always be viable threats.

Technology is good, but humans are using it. And there’s always room for error.

Why health care?

Cybersecurity is not just about money. It’s a serious patient safety concern. It’s about stealing information, hacking computers and medical devices. Health care is an expanding mosaic. Ambulatory practices, home care, telemedicine and strategic alliances have been good for increasing access and relieving illness but also pose significant challenges in keeping patient information safe.

The Cybersecurity Act of 2015, Section 405(D) targeted small- and medium-sized hospitals and health systems, presenting a critical picture of the state of the nation. What’s at stake is medical information, which can be sold or used by others who need medical care. Having your medical history stolen or altered can be devastating when medical history has become such an important driver of diagnosis and treatment.


Connectivity has become essential to delivering quality care regardless of where you go, but it’s challenging considering there are so many external forces at play, including:

  • Federal and state laws delaying the sharing of data across locations;
  • Tightened budgets that are limiting smaller organizations’ ability to hire enough staff to oversee cybersecurity;
  • The same organizations’ lack of adequate infrastructure to effectively and safely share information; and
  • The expanding shortage of cyber professionals across the board.

Any weak link is a threat. But personnel will always be the key factor in effective cybersecurity. For example, say a larger health system partners with a smaller organization that has its systems infected by ransomware and viruses. The larger system should help these patients and organization if needed. It’s the right thing to do. However, by pairing information systems, larger organizations run the risk of having their secure system become infected as well.

This issue happens quite often. Anyone who you do business with — such as a billing or credit card company — can become infected, giving hackers an inside route into your system.


Another rising concern is the increasing use of wearable medical devices that track user data and flood back into health systems. These need to be controlled and patients must be prepared. If they hook up through home WiFi and just use “admin,” “admin” as its username and password, that’s not secure and easy to hack.

Health care providers need to be more proactive about this risk and make sure their systems are secure if their patients are using wearable technology for their care.

Safeguards and ongoing education

I don’t pretend to be a cybersecurity expert by any means, but I’ve been lucky enough to sit in on regional and national committees, and provide a clinical perspective to the issues. This conversation needs to be taken to the next level.

Ongoing communication with physicians is the most important aspect to effectively protect health information. Social phishing scams continue to be one of the biggest threats. If you get an email and the attachment doesn’t look right, don’t open it. Don’t use unofficial thumb drives because they may not be encrypted and maybe contain a virus. Also, when someone locks a medical record through ransomware, providers have to go to paper and that’s always a potential safety risk. Information can be stolen. They can insert erroneous information while removing other items.

Cyber threats aren’t a new phenomenon, yet we still need to educate clinicians. Nobody likes using passwords when screens lock out. But the reality is if we don’t, our vulnerability increases.

Mark Jarrett, MD, is senior vice president and chief quality officer at Northwell Health. Along with his clinical responsibilities, he assumes several roles on regional and national cybersecurity committees, including the Joint Cybersecurity Working Group and the Healthcare Industry Cybersecurity Taskforce for HHS. He was recently appointed as an at-large member of the Healthcare Sector Coordinating Council’s (HSCC) Cyber Working Group Executive Committee.

Go to top