Technology has dramatically transformed modern healthcare. Patients can view lab results in real time, make appointments online and use smartphone apps to control medical devices. In addition, the widespread use of electronic health records has improved data-sharing and collaboration among physicians and their patients, reduced medical errors and improved medical research.
Although the digitization of health information has enhanced the delivery of care, it has also made health care data more vulnerable to attack. A June 2017 report published by the Health Care Industry Cybersecurity Task Force found serious deficiencies in the healthcare industry’s cybersecurity preparedness.
The task force, which Congress established through the Cybersecurity Act of 2015, encourages the use of technology throughout the healthcare industry, but it also recognizes the need for safeguards to help prevent hackers from using those technologies to steal patient data and other valuable information.
According to the task force report, a number of factors contribute to cyber vulnerabilities in the healthcare sector, including real-life urgent situations, tension between department priorities and budget considerations.
For example, hospitals are generally “public” institutions that function at all hours of the day and night, and they are open to anyone looking for medical services. Amid these chaotic, fast-paced environments, dozens of providers and staff must communicate in order to maintain effective patient care. When faced with a critical care situation, healthcare personnel may have little choice but to leave a workstation unlocked to allow other providers to access vital patient information and identify potential patient safety issues. Indeed, the urgent need for information can be in conflict with best practices related to privacy and security.
The report also notes that, at the organizational level, cybersecurity is often viewed as a siloed “IT” problem, and not something that requires high-level attention. Until a healthcare organization experiences a data breach, information security professionals may have trouble convincing the organization that cyber-attacks pose risks to patient care, or that proactive measures can protect the organization against long-term reputational damage.
In light of recent attacks on hospitals, however, this fragmented approach is dangerous. The “WannaCry” ransomware attack on the National Health Service in the U.K. highlights the need for preparedness and coordinated efforts between various departments, including information security, risk management and legal.
The tension between the cost of preparedness and an organization’s limited resources can also be problematic, particularly in smaller organizations.
As one task force member put it, the high costs of cybersecurity measures could force providers to choose between “procuring new security technologies and related subject matter expertise, or purchasing new ventilators and hiring nurses.” Yet, as the report points out, it is misguided to assume that cyberattacks only affect large organizations. Healthcare organizations of all sizes are targets, in part because of the valuable nature of health information and the black market for medical records.
Six improvement ‘imperatives’
With this background in mind, the task force identified six “imperatives” to improve cybersecurity in the healthcare industry:
1. Define and streamline leadership, governance and expectations for healthcare industry cybersecurity
2. Increase the security and resilience of medical devices and health IT
3. Develop the healthcare workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities
4. Increase healthcare industry readiness through improved cybersecurity awareness and education
5. Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposures
6. Improve information sharing of industry threats, weaknesses and mitigations.
Although achievement of the recommended goals will require coordination across the public and private sectors, there are many ways that healthcare organizations can immediately begin addressing cybersecurity issues.
Identifying a dedicated cybersecurity leader is a good place to start. Small and medium-sized organizations also may want to consider migrating patient records from legacy systems to more secure environments, such as cloud-based storage. Organizations of all sizes should begin developing and updating policies related to cybersecurity and data privacy.
Finally, healthcare organizations should ensure that they are in compliance with state and federal laws related to data privacy and the protection of health information.
Despite the rapid pace of change in technology and the healthcare industry, there are resources available for strengthening cybersecurity. The task force report provides useful strategies for improving preparedness, and consulting with legal counsel can help ensure compliance with applicable laws.
With more data being created every minute, and more devices being connected every day, preparedness is vital to fighting cybercrimes. We must face these difficult issues directly — the future of healthcare depends on it.