Dr. Thomas Graham
Hospitals' latest cybersecurity threat: Burned out healthcare workers
May 13, 2022
By Dr. Thomas Graham
Over the past two years, COVID-19 has pushed hospitals and healthcare systems to their breaking points, flooding beds and demanding daily personal sacrifices from critical healthcare workers. Each resurgence has served as a reminder of the critical nature of our healthcare infrastructure – and its need to be consistently resilient.
Although some of COVID-19's worst health outcomes appear to be tapering off, with new cases and patient deaths declining despite legitimate worries over new variants, a long-gestating issue is coming into sharper focus: Burned out from dealing with the never-ending pandemic, healthcare workers and leaders are inadvertently opening the door to a new wave of dangerous cybersecurity threats.
Healthcare under digital threats
Improbable though it may have seemed before the pandemic, cybersecurity has emerged as one of the healthcare community's most prominent topics of conversation and concern. As COVID-19 shut down offices across the world, hackers deliberately targeted healthcare systems with ransomware and threats designed to disrupt day-to-day operations. Some hospitals were forced to return to pen-and-paper record keeping; others saw ER-destined patients unnecessarily re-routed to distant locations due to inaccurate information on open beds.
These attacks haven't stopped as the first part of 2021 saw a 62% year-over-year increase, and healthcare leaders continue to struggle with increasing threats and actual attacks affecting patient care. Yet many organizations' IT and security operations have quietly fallen by the wayside, due to the chaos of COVID-era limited resource allocation, coupled with employee burnout as the pandemic's third year looms in the not-too-distant future.
From pandemic pain to endemic shortfalls
This is particularly concerning because the teams hired to help mitigate cyberthreats are thinning at an alarming rate during a time when those threats are continuing to rise steadily. There was already a serious shortage of qualified cybersecurity professionals prior to the pandemic, and as team members fell ill or were forced to exit the workforce to care for family members, a domino effect rippled through multiple industries.
Between subsequent population losses and The Great Resignation, understaffing has become the norm rather than the exception inside and outside the healthcare sector. Many front-line workers who remain, including non-medical employees who were required to work in high-risk environments, are either already burned out or on the road to burning out.
According to a recent 1Password report (via HealthITSecurity), burned-out employees were three times as likely to say security rules “aren’t worth the hassle,” compared with respondents who weren't burned out. Exhausted employees were also much more likely to either pick an easy password or stick with the same password for everything – 59% of burned-out employees, 16% higher than workers who weren't experiencing burnout. The evidence is clear: Employee burnout is a "severe, pervasive and multifaceted security risk."
It would be easy to dismissively write off burnout as a common, unavoidable problem, but the reality is that the cybersecurity of healthcare infrastructures is becoming weaker because of it. After two years of constant crisis, healthcare workers are so worn out from triaging patients and witnessing deaths that remaining vigilant regarding cyberthreats feels comparatively abstract. Couple this with the vastly changed threat landscape due to new protocols, telehealth initiatives, and mHealth, burnout and ambivalence has become more commonplace. When security isn't a priority, threat actors can capitalize on a perfect storm of vulnerability and inattentiveness to swoop in and take advantage, ironically making it harder for weary healthcare workers to do their jobs.
Burnout obviously isn't the only issue. When leaders inside and outside the healthcare industry felt compelled to rapidly pivot their organizations to these remote and hybrid work models, cybersecurity structures lagged – and threat actors got ahead. While most organizations had a strategy in place for the pre-COVID paradigm, the new operational landscape often neglected these additional cybersecurity loopholes. Even for hospitals that retained most of their employees as essential front-line workers, remote work shifts and BYOD by non-essential workers and supply chain providers created gaps for malware and other threats to enter organizations unknowingly.
The right time to rethink cybersecurity
Now, as we're finally experiencing a respite from the viral surges that continued in 2020 and 2021, healthcare leaders must take action to fortify their organizations against digital threats – not just through updating their hardware and software, but also by supporting their people. Throughout the pandemic, limited resources were rightly prioritized towards caring for critically ill patients, pushing their caretakers' well-being into the backseat; there's no longer any excuse to maintain that status quo.
The most proactive first step is for healthcare organizations' security leaders to seek out responsive, custom-tailored, and comprehensive cybersecurity measures – both modern technologies and the related expertise needed for effective implementation. This must include regulatory compliance, plus practical consideration of measures that will be effective not only under attack, but also despite burned-out employees. By updating their digital infrastructures with technologies capable of withstanding today's and tomorrow's cyberthreats, leaders will ensure that their workers won’t have to work overtime defending their threat landscape – or suffer doubly if the defenses fall short despite their best efforts.
As healthcare systems invest in newer and better security technologies, they must also invest in new people – including people to constantly monitor the security software for red flags, perform regular updates, and provide the essential training needed to understand what the security software is telling them. At a time when many cybersecurity teams are buried under mountains of unpatched and under addressed issues, actively tracking and managing results enables organizations to stay up to date with the latest security measures. This proactive approach will save hospitals from last-minute IT scrambles when cyber threats are imminent.
Last but not least, healthcare systems must conduct risk assessments more often than occasionally or annually. The cybersecurity landscape is moving far too fast for once-a-year check-ups, as today's threat actors are continuously strategizing new ways of causing harm. Quarterly or even monthly targeted assessments and tests will give security leaders a more informed idea of where things stand, and allow for easier backtracking should an attack occur. By doing these types of targeted assessments, burned out cybersecurity teams will not feel as overwhelmed as going through full organizational risk assessments.
There's little question that relieving healthcare workers from the burnout they are experiencing will result in better performance in the workplace, including superior care for patients, stronger cohesion with the organization's overall goals, and ensuring the availability of patient care resources. Given the critical importance of cybersecurity, and the extent to which hackers rely upon both technological and human weaknesses to exploit systems, strengthening the human line of defense is a critical step in protecting healthcare infrastructures against the next wave of attacks.
About the author: Dr. Thomas Graham is the chief information security officer for CynergisTek.
Over the past two years, COVID-19 has pushed hospitals and healthcare systems to their breaking points, flooding beds and demanding daily personal sacrifices from critical healthcare workers. Each resurgence has served as a reminder of the critical nature of our healthcare infrastructure – and its need to be consistently resilient.
Although some of COVID-19's worst health outcomes appear to be tapering off, with new cases and patient deaths declining despite legitimate worries over new variants, a long-gestating issue is coming into sharper focus: Burned out from dealing with the never-ending pandemic, healthcare workers and leaders are inadvertently opening the door to a new wave of dangerous cybersecurity threats.
Healthcare under digital threats
Improbable though it may have seemed before the pandemic, cybersecurity has emerged as one of the healthcare community's most prominent topics of conversation and concern. As COVID-19 shut down offices across the world, hackers deliberately targeted healthcare systems with ransomware and threats designed to disrupt day-to-day operations. Some hospitals were forced to return to pen-and-paper record keeping; others saw ER-destined patients unnecessarily re-routed to distant locations due to inaccurate information on open beds.
These attacks haven't stopped as the first part of 2021 saw a 62% year-over-year increase, and healthcare leaders continue to struggle with increasing threats and actual attacks affecting patient care. Yet many organizations' IT and security operations have quietly fallen by the wayside, due to the chaos of COVID-era limited resource allocation, coupled with employee burnout as the pandemic's third year looms in the not-too-distant future.
From pandemic pain to endemic shortfalls
This is particularly concerning because the teams hired to help mitigate cyberthreats are thinning at an alarming rate during a time when those threats are continuing to rise steadily. There was already a serious shortage of qualified cybersecurity professionals prior to the pandemic, and as team members fell ill or were forced to exit the workforce to care for family members, a domino effect rippled through multiple industries.
Between subsequent population losses and The Great Resignation, understaffing has become the norm rather than the exception inside and outside the healthcare sector. Many front-line workers who remain, including non-medical employees who were required to work in high-risk environments, are either already burned out or on the road to burning out.
According to a recent 1Password report (via HealthITSecurity), burned-out employees were three times as likely to say security rules “aren’t worth the hassle,” compared with respondents who weren't burned out. Exhausted employees were also much more likely to either pick an easy password or stick with the same password for everything – 59% of burned-out employees, 16% higher than workers who weren't experiencing burnout. The evidence is clear: Employee burnout is a "severe, pervasive and multifaceted security risk."
It would be easy to dismissively write off burnout as a common, unavoidable problem, but the reality is that the cybersecurity of healthcare infrastructures is becoming weaker because of it. After two years of constant crisis, healthcare workers are so worn out from triaging patients and witnessing deaths that remaining vigilant regarding cyberthreats feels comparatively abstract. Couple this with the vastly changed threat landscape due to new protocols, telehealth initiatives, and mHealth, burnout and ambivalence has become more commonplace. When security isn't a priority, threat actors can capitalize on a perfect storm of vulnerability and inattentiveness to swoop in and take advantage, ironically making it harder for weary healthcare workers to do their jobs.
Burnout obviously isn't the only issue. When leaders inside and outside the healthcare industry felt compelled to rapidly pivot their organizations to these remote and hybrid work models, cybersecurity structures lagged – and threat actors got ahead. While most organizations had a strategy in place for the pre-COVID paradigm, the new operational landscape often neglected these additional cybersecurity loopholes. Even for hospitals that retained most of their employees as essential front-line workers, remote work shifts and BYOD by non-essential workers and supply chain providers created gaps for malware and other threats to enter organizations unknowingly.
The right time to rethink cybersecurity
Now, as we're finally experiencing a respite from the viral surges that continued in 2020 and 2021, healthcare leaders must take action to fortify their organizations against digital threats – not just through updating their hardware and software, but also by supporting their people. Throughout the pandemic, limited resources were rightly prioritized towards caring for critically ill patients, pushing their caretakers' well-being into the backseat; there's no longer any excuse to maintain that status quo.
The most proactive first step is for healthcare organizations' security leaders to seek out responsive, custom-tailored, and comprehensive cybersecurity measures – both modern technologies and the related expertise needed for effective implementation. This must include regulatory compliance, plus practical consideration of measures that will be effective not only under attack, but also despite burned-out employees. By updating their digital infrastructures with technologies capable of withstanding today's and tomorrow's cyberthreats, leaders will ensure that their workers won’t have to work overtime defending their threat landscape – or suffer doubly if the defenses fall short despite their best efforts.
As healthcare systems invest in newer and better security technologies, they must also invest in new people – including people to constantly monitor the security software for red flags, perform regular updates, and provide the essential training needed to understand what the security software is telling them. At a time when many cybersecurity teams are buried under mountains of unpatched and under addressed issues, actively tracking and managing results enables organizations to stay up to date with the latest security measures. This proactive approach will save hospitals from last-minute IT scrambles when cyber threats are imminent.
Last but not least, healthcare systems must conduct risk assessments more often than occasionally or annually. The cybersecurity landscape is moving far too fast for once-a-year check-ups, as today's threat actors are continuously strategizing new ways of causing harm. Quarterly or even monthly targeted assessments and tests will give security leaders a more informed idea of where things stand, and allow for easier backtracking should an attack occur. By doing these types of targeted assessments, burned out cybersecurity teams will not feel as overwhelmed as going through full organizational risk assessments.
There's little question that relieving healthcare workers from the burnout they are experiencing will result in better performance in the workplace, including superior care for patients, stronger cohesion with the organization's overall goals, and ensuring the availability of patient care resources. Given the critical importance of cybersecurity, and the extent to which hackers rely upon both technological and human weaknesses to exploit systems, strengthening the human line of defense is a critical step in protecting healthcare infrastructures against the next wave of attacks.
About the author: Dr. Thomas Graham is the chief information security officer for CynergisTek.