A patient lies in his hospital room with an EKG on a bedside workstation at the Indiana Heart Hospital.
A patient lies in his hospital room with an EKG on a bedside workstation at the Indiana Heart Hospital. - 

Hospitals are increasingly under attack.

Earlier this week, the Washington D.C.-based MedStar Health, which runs ten hospitals, was exposed to a computer virus.

Hackers have recently gone after health care facilities in Los Angeles and Kentucky.

The question for hospitals – that hold onto all kinds of sensitive information – is how they are responding to minimize the threat to themselves and protect patient safety.

Here’s what kept former FBI agent Andre McGregor up at night, back when he worked as a Cyber Special Agent in New York City.

“At a hospital I have to deal with pacemakers, CAT scan machines, the refrigerator for blood. All of these things have IP addresses. All of these have software that need to be updated,” said McGregor, who is now Director of Security at Tanium, a cybersecurity company.

In other words, hospitals are highly vulnerable to any variety of cyber threats.

According to data protection group, the Ponemon Institute criminal attacks in the healthcare industry are up 125 percent since 2010 and are now more likely to occur in that sector than any other in the economy.

One reason, too many hospitals are sitting on their hands.

The situation reminds James Scott, a senior fellow at the Institute for Critical Infrastructure Technology, of a quote from the philosopher Nietzsche.

“All great things must first wear terrifying and monstrous masks in order to inscribe themselves on the hearts of humanity,” recited Scott.

Scott says unfortunately “ransomware and cyberattack have to get a lot worse, before it gets the attention it needs.”

Too often, said Scott, hospitals beef up security after an attack.

This both puts patient and staff data at risk and can interrupt daily hospital operations, jeopardizing patients’ physical health.

Ernie Hood, an analyst with the Advisory Board Company, pointed to basic steps like assessing the threat and developing a response plan that every hospital could take today, as in,  right now.

“It’s the old story the police will tell you, if you got a barking dog, you are less likely to be burglarized. That’s not going to prevent the burglar, but they are more likely to go to your neighbor,” he said.

But Hood said developing a more sophisticated proactive response is tougher than it may sound.

Today, he said, executives and hospital boards lack the tools to both assess risk AND calculate the investment needed to enhance security.

Follow Dan Gorenstein at @dmgorenstein