Cybersecurity in healthcare is not just an IT problem.
At most organizations, when it comes to tackling cybersecurity, we know what we need to do. But it also requires the will to make necessary cultural and technical changes, and gain institutional buy-in. It will be difficult, and it will cost money. But do we really have a choice?
Ransomware poses an existential threat to data security and operations in an era of electronic health records, integrated health data management systems and connected medical devices. As a result, it puts every person’s health and safety at risk.
That is not hyperbole. Cyberextortionists in May unleashed WannaCry ransomware on the general public, affecting hundreds of thousands of computers in 150 countries, including those at many National Health Service hospitals and clinics in the United Kingdom. The healthcare industry likely was not deliberately attacked, but instead was a target of opportunity, reached through links to malware distributed by email.
WannaCry represents just one example of the unacceptable level of cybersecurity risk tolerated by healthcare organizations. Internet-connected health data systems and devices are hacking risks, for profit, and the volume, variety and velocity of attacks will only increase. Yet organizations currently devote insufficient resources to this battle, or they deploy those resources ineffectively.
Many in the industry refuse to admit when they’ve been victimized, even though the federal government mandates disclosure. More open sharing would help to improve defenses against future attacks, but the industry, instead, collectively accepts them as a cost of doing business. That perspective must shift.
What Cybersecurity Can Learn from Modern Medicine
Healthcare’s ongoing cybersecurity plague closely resembles another challenge the industry previously perceived as insurmountable: the spread of healthcare-associated infections. Through the past decade, however, organizations stopped accepting HAIs as a certainty.
Three factors drove the change:
- Unambiguous financial incentives: The federal government changed Medicare rules and no longer reimburses hospitals for the cost of preventable hospitalizations.
- Building and sharing tools: Development of public and private sector HAI prevention programs, broad dissemination of key learning, guidelines and checklists, and sharing of experiences.
- Leadership and drawing a line in the sand: When a health system CEO says, “We will eliminate all central line infections in our system within three years,” things happen.
Strides in HAI mitigation hold valuable lessons for those on the front lines of the cybersecurity battle. Organizations can and should consider those same factors in their fight against new and existing cyberthreats.
Automating Financial Penalties Could Shock Hospitals into Action
A private-sector attorney does not often call for more fines to the regulated community, but such a shock to the system might motivate improved compliance.
When preventable hospitalizations began to carry a consistent, concrete financial penalty, HAI control improved. Such penalties could drive similar outcomes for all-too-preventable data breaches. To the extent the regulated community responds only to a big stick, compliance lags because enforcement lags.
Practice Impeccable Data Hygiene
Just as changes like improved handwashing compliance helped to reduce HAI rates, instilling better data safety routines almost certainly would lessen the likelihood of a breach. Simple, repeatable steps taken by provider organizations could eliminate many threats to data security.
Entities should review access to every computer system, and patch and update software and operating systems regularly. Tailor data privacy and security training to each staff member to ensure relevance at an individual level.
What’s more, facilities must ensure understanding of email safety concepts. Launching fake fishing exploits teaches users about the fallout that can result from clicking on contaminated links or attachments.
Additionally, organizations must conduct a post-mortem review of each security incident to discuss problems openly. Primary prevention efforts almost certainly will benefit if employees know they can talk about issues without fear of liability.
Instilling a Top-Down Security Mentality
Despite growing concerns, many healthcare organizations still struggle to devote sufficient resources to IT security. Establishing a culture of compliance is critical to increasing funding for implementation, and that starts at the top. Executives, therefore, must commit publicly to eliminate all preventable data breaches. Committing to do better is the first step to becoming better.
It is also a terrific step in branding an organization as aligned with patients and quality. It worked for central line infections, and it can work for data breaches.