The recent headlines are distressing: Healthcare Endpoint Attacks Cost the Industry $1.3B Annually, Latest WannaCry Attack Stresses Healthcare’s Need to Fortify Defenses, 26% of Orgs Would Pay Ransomware After Healthcare Cyberattack.
Digital security in healthcare is obviously a pressing issue. But from a doctor’s perspective, proposed digital security solutions usually illicit just a few basic questions: Will it work in my practice? Will I get paid? Will I get sued? Those are practical questions, but cybersecurity in healthcare is a much more complex quandary.
Our collective need to digitalize and connect everything to capture modern technological capabilities and improve care has also expanded the threat landscape and our potential vulnerabilities exponentially, creating a nightmare that exposes us to risks much greater than even electronic medical record breaches. Cybersecurity is actually a patient safety issue.
A secure system is only as strong as its weakest link, and there are technologies aimed at shoring up digital vulnerabilities: encryption, authentication mechanisms, networking infrastructure best practices, even AI for security. But as we increasingly connect disparate tools and systems with third-parties and new participants, uniform application of these technologies is not necessarily being applied. You have to look at the whole expanding digital organism to see how urgent the situation is becoming.
I work within the health system, which used to be a fairly closed “fortress” environment digitally. But we now commonly have mobile health apps and interfaces, health information exchanges, public cloud computing architectures, IoT devices and sensors and monitors, all connecting with the traditional hospital data and communications infrastructure on various levels. Those technologies offer great automation and productivity benefits, but each of those connections is also a potential vulnerability. The nature of the high-volume engagement and service delivery component in healthcare also introduces additional risks. And where we used to simply warn people against writing their passwords on sticky tabs attached to their PCs, we now must guard against phishing attacks, website malware, spyware, ransomware…. Even with strong encryption in certain areas, you can’t guard against your own people clicking the wrong link and exposing the entire kingdom.
Healthcare is very different than other industries by nature. It is a heavily regulated space with things like HIPPA and has multiple competing authorities at both a local state and the national level. But many people don’t fathom that compliance with HIPPA and other government standards aids in security, but does not guarantee it. Just because you are compliant doesn’t mean you are secure. In today’s big data world, a lot of digital security policies are already outdated.
Integrated players are now becoming fused into one big giant network which compounds complexity, and healthcare is not immune from the turn of the tide. While technology concerns like Google and Amazon are attractive to health organizations due to cost pressures, they operate under very different imperatives and regulations than players in healthcare. And there is a security capability skillset gap in the healthcare world. The fear of compliance leads to a binary state where people just want to turn everything off, authorize no access, just not share anything—which prevents information movement and slows progress. Healthcare digital security is a vexing concept. It is fluid and constantly evolving—there is no set it and forget it approach to the issue.
Thus, digital security requires a continuous delivery mindset and has to be infused throughout healthcare and it requires a holistic three-layer strategy addressing:
- Encryption, authentication and smart connection technology
- Process management and education
- Regulation and policy
In healthcare, we are all excited about all the promise of technological innovation, but as the headlines indicate, we too often downplay the new traps. Instead, any new technology has to support secure process, and secure process has to be infused throughout the healthcare industry.
The situation isn’t hopeless. Opportunity abounds for fortifying existing digital security and establishing a better systemic approach. There are ingenious propositions for enhancing data security via universal text tokenization and encryption prior to network or cloud transport/transfer/storage, as well as interest surrounding permissioned blockchain technology for securely sharing data within private but distributed healthcare systems or communities.
For any of these innovations to move forward, we must stop viewing health IT as a cost center (where we try to reduce instead of increase investment). And we must get creative about positioning security at scale in healthcare as an investment-worthy loss-prevention measure. We can even start to explore security as a revenue opportunity by monetizing unique measures customized to the health space that can be useful to others. A renewed focus on mastering the complex nature of our rapidly evolving digital health environment is required, as is institution-level commitment to recasting cybersecurity in healthcare as a continuous endeavor.