As evidenced by the malware-induced breach at Banner Health and the ransomware attack at Hollywood Presbyterian earlier this year, cybercriminals are continually targeting healthcare organizations. The financial and reputational costs of a breach can be immense and often those costs aren’t fully realized for several years after the event as regulatory findings and fines are rarely immediate. The cost of a breach has significant impact on the cost, access, and safety of care. I see four areas where we in the industry should be increasingly vigilant—unchecked adoption, implementation of consumer tools, Internet of Things (IoT) leakage, and government involvement.
As more and more apps and tools for caregivers’ smart phones become available, organizations must enforce policies and standards to avoid possible data loss. Caregivers are necessarily innovative and, if a tool will make their jobs easier, they are likely to use it. A good example is cloud storage it’s entirely convenient for accessing files, but the ramifications of commingling personal and care related information is not inherently addressed in these applications and tools. Unchecked adoption of shadow apps and systems as well as BYOD issues are common causes of data loss. Helping caregivers understand that implementing new tools has potential risks for your organization and for them personally is difficult. However, organizations must have mechanisms in place so that clinicians can make recommendations for the tools and systems they want (and often need) and an efficient vetting process that seriously considers the recommendation and “closes the loop” with the clinician. It’s not enough to just say no; you’ve got to work with the business to address the needs.
"An increasing number of public sector cyberattacks have hastened the cybersecurity conversation by legislators and investigative agencies—that’s very promising"
Implementing Consumer Tools
Smart phones aren’t only in the hands of clinicians. Patients are also eager to connect with healthcare through taps and swipes. However, safely and securely implementing consumer facing apps that touch vast amounts of healthcare data and actually provide value to the patient presents its own set of concerns. The increased traffic and access to data increases the likelihood of a breach if sufficient controls are not in place on the device or within the app. Connecting apps together and sharing data between them also presents many security issues that must be resolved in the development process. A strong expectation of vendors to uphold your security requirements as well as reviews of their Secure Software Development Life Cycle (SSDLC) programs are important parts of making application purchase decisions.
Internet of Things (IoT) Leakage
IoT devices are entering healthcare at an increasing rate. Many of these devices lack needed encryption or have potential fail points that can be exploited by crafty cybercriminals. In order to make certain that patients’ data (and the patients themselves) are safe from this type of leakage requires a set of security standards that the industry doesn’t yet have. Without standards these devices will continue to be developed in isolation, which only increases the chances that proprietary code can’t be efficiently monitored by cybersecurity professionals. I’ve long advocated for standards for data exchange, but similar attention needs to be payed to security. If you can’t monitor devices consistently and appropriately they’ll easily become revolving doors for cybercriminals to enter your organization.
An increasing number of public sector cyberattacks have hastened the cybersecurity conversation by legislators and investigative agencies—that’s very promising. More than ever, it’s time for the government to work with the healthcare industry in a collaboration that can help to reduce cyber risks. Together we can look at the problem holistically, and put practices in place that support each other while identifying criminals and appropriately penalizing them. Recently there has been media chatter about the new administration’s thoughts on cybersecurity for the nation; healthcare needs to hold its place at the table, making sure that security policy helps rather than hampers healthcare organizations.
Whether or not the Accountable Care Act is dismantled in the coming months won’t significantly change cybersecurity in healthcare. The need to protect the massive amounts of data with which we are entrusted has always been and remains critical. In the past, decisions about cybersecurity were largely made in the data center, but today those decisions are more often guided by board expectations and overall risk tolerance. As the industry continues to look for ways to increase access to safe, quality care, technology will be a major player. That’s why it’s important for healthcare CIOs and CISOs to educate other executives, employees, and consumers about the importance of a sound cybersecurity strategy that monitors, detects, and mitigates the risk of cyberattack. Cybersecurity is a collaborative effort that involves IT, the business, the patient, caregivers, and the government. If we can educate and promote best practices amongst those players, than we’re likely to continue moving healthcare forward, increasing access and safety while decreasing costs. Failure to create secure processes and systems will only continue to increase costs and risk, and reduce access.