As recently as May 5, the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and the U.K.’s National Cyber Security Centre (NCSC) issued a joint alert to warn that “advanced persistent threat (APT) groups are exploiting the Covid-19 pandemic” to specifically target “healthcare bodies, pharmaceutical companies, academia, medical research organizations, and local governments,” presumably in order to collect bulk personal information, intellectual property and intelligence that aligns with national priorities.

While it’s disheartening that our global health crisis comes accompanied by increased health care cyber threats, it shouldn’t be surprising. Cybersecurity in the health care sector is completely fractured and thus ripe for an incursion.

The situation was dire even before the pandemic. According to HIPAA Journal, “510 healthcare data breaches of 500 or more records were reported” in 2019, representing a 196% increase from 2018. The number of individual health care records breached so far in 2020 is likewise troubling, with the journal reporting a staggering 1,531,855 in February 2020 alone.

These cybersecurity issues aren’t harmless, and they affect everything from care delivery to solvency. Health care IT News noted that “according to a 2019 American Medical Association-Accenture Medical Cybersecurity Survey, 36% of health institutions were unable to provide care for at least five hours as a result of cyberattacks.” Separately, Security Boulevard noted that the average cost of a health care data breach is $6.45 million, adding that “the 2019 Cost of a Data Breach Report by the Ponemon Institute and IBM indicates that healthcare is the most expensive industry in terms of the total average cost per breach. They also had the longest data breach lifecycle—the time it takes to identify and contain a breach—of 329 days.”

It’s not that competent people aren’t trying to defend health care. Every modern health care organization has some combination of IT security package, services and/or policy. The problem is that none of it is really working.

Ask almost any health care leader if their organization’s data was stolen today. Or whether unauthorized access to patient records occurred in the last hour. Or if their employees were targeted by a phishing scam this week. Or how likely they are to fall victim to a ransomware attack this year. Then ask how each of those will affect their operation. They likely will not be able to give you definitive answers because existing health care cybersecurity doesn’t work that way — but it should.

There’s no “set it and forget it” cure for cybersecurity, but until health care cybersecurity achieves the same level of sophistication established in industries such as aerospace or finance, the full power of IT remains suppressed in the industry.

Systematized Specialization

In the second half of the 20th century, if Red Adair and his team arrived to fight an oil fire, you could rest easy that the job would get done. He was a larger-than-life firefighting superhero famous for putting out over 2,000 fires in his lifetime, including the infamous and seemingly unstoppable Phillips gas well fire in the Sahara, known as the “Devil’s Cigarette Lighter.”

However, he was also a natural engineer, a prodigious inventor, highly innovative, specialized and methodical — and he assembled a body of similar experts directing their combined talents on a single area of expertise.

Sure, they capped blown wells, but what rarely made headlines was their continuous development of well blowout control equipment and unique techniques designed specifically to stop uncontrolled blowouts. There are untold quantities of fires that never happened because of Adair’s efforts and the methodologies he helped to establish as standards for managing risks particular to a singular global industry.

Health care cybersecurity demands similar specialization. It may not require its own Red Adair, but a purpose-driven and industry-specific health care cybersecurity model akin to his approach to oil fire prevention and containment needs to be established. We need to fundamentally re-engineer the way we conduct cybersecurity in health care.

Critical Need

Despite over 20 years of critical infrastructure protection efforts by a variety of companies and organizations, including the creation of Information Sharing and Analysis Centers (ISACs) and the ISAO (established in 2015), attempts to improve U.S. cybersecurity posture by identifying standards for robust information sharing and analysis related to cybersecurity risk, incidents, remediation and best practices have not supported health care sector needs.

There are operational realities that exacerbate the problem. U.S. health care is highly fragmented, multidisciplinary and compartmentalized — and so is its technological infrastructure, which runs the gamut from circa-2010 PACS radiology systems to IoT-enabled ventilators. One need only look at the failings and limitations of electronic health record (EHR) development to grasp the varied and disjointed nature of the industry’s IT systems, services and standards.

Health care cybersecurity intelligence thus remains proprietarily siloed and bereft of real-time function, operational visibility or capacity to quickly adapt to threat evolution. Any available analyses on such matters amount to floods of irrelevant minutiae or one-size-fits-all vagary, and they arrive too late for decisive action.

There is no situational awareness nor any mechanism for providing it. Despite the legions of security associations and committees and advisories, health care cybersecurity is still pervasively weak. This results in wasted resources and scattershot defense, akin to tending to an endless stream of potential fires ad infinitum without any strategic visibility into their source, scope, cost or cure. It’s enormously expensive and ineffectual, and it’s limiting the magnitude of IT-enabled advances across the industry.

We don’t need to establish another arm of the federal government to rectify health care cybersecurity, but we do need to stop reacting as we have in the past and invest in developing solutions customized to work for the new realities of a health care business.

If we ever hope to get health care cybersecurity under control, we could use some Red Adair-style engineering and innovation specific to our risks and weaknesses as an industry.