HEALTHTECH: How has healthcare cybersecurity grown in recent years? What are some top concerns today that weren’t an issue a decade ago?
STURGEON: Technology usage has evolved and grown more complex, which means different risks have come up that weren’t necessarily a worry 10 years ago. If we’re talking about just telemedicine, for example, as providers and patients connect virtually, the perimeter is no longer contained within the four walls of a hospital. It expands to where the patient is, and the vulnerabilities that may exist in a patient’s home. The patient’s cyber hygiene has a potential effect on the hospital as sensitive data and that technical connection are shared, and that’s something we need to worry about.
Cybersecurity to protect patient safety is really important, but considerations must stretch beyond HIPAA. In recent years, cyberattacks that hamper hospital operations can seriously impact outcomes, as cases in Alabama and in Germany have shown.
Part of the impetus for the Medical Device Security Lab was a patient safety conversation. Yes, we still need to protect the data. That’s a natural assumption at this point. But we need to take the conversations further and really center the care of patients.
Let’s really have conversations in partnership with clinicians. I work with clinicians, but it’s a small number, so how can we expand that and speak about cybersecurity and patient safety with nurses, doctors and medical assistants in a language they can relate to? How can device safety be a key part of the conversation when it comes to implementing pacemakers or insulin pumps so that we’re prepared should vulnerabilities come up?
Healthcare organizations also need to stay updated on global threats, especially from nation-state actors. These conversations need to happen in public, not only among cybersecurity professionals. It needs to spread industrywide, including all health system leaders. We need to have transparent conversations and stop burying our heads in the sand.