by George Mathew, MD, MBA
Security threats affect all industries, but few are more vulnerable than healthcare, which is now a lucrative target for hackers. In 2017, the Office of Civil Rights in the Department of Health and Human Services reported that 358 healthcare providers suffered a breach of 500+ records, affecting more than 5 million patients.
Despite these threats, the industry is ill-prepared to address the problem. And while many healthcare organizations are beginning to implement practices that demonstrate a more mature understanding of security as an enterprise challenge, none of this is happening quickly enough to mitigate the threats.
The issue of cybersecurity extends well beyond the walls of IT and compliance, since if a patient’s healthcare data is compromised it could have a significant impact on the relationship between the provider and patient, even to the point of putting patient safety at risk. Despite this, providers still struggle to get the resources they need to combat a constantly changing threat.
Security across platforms
One of the challenges healthcare organizations struggle with is managing security risks around legacy platforms. Even as healthcare systems seek to implement new technologies, legacy systems remain, and it will be imperative to safeguard data in those systems through the implementation of information governance and technology management.
At the same time, the rise of user-friendly interfaces and smart devices by both patients and healthcare providers increases access to information and systems. The result will be better productivity and a more engaged patient, but security must be front and center of these developments.
In the future, as organizations transition to the Smart Hospital of the future — with care moving out of the hospital and into the home, and with the provision of remote monitoring and telemedicine — security strategies will need to be patient-centric.
Careful thought needs to be given to how to control access to healthcare data to combat cyber crime or to ensure that information is protected from servers going down.
To achieve this, organizations need to know their weaknesses — those areas that are vulnerable to information being stolen — and look for ways to protect that data and ensure that only the right people can access information, at the right time.
In the hospital setting, one way to address this might be implementing situational or circumstantial access control. For example, healthcare professionals probably shouldn’t be assessing a patient’s information in the cafeteria, where there is a risk of other people looking over their shoulder to read private data. With situational security, the system wouldn’t allow practitioners to access classified information outside of the patient or caregiver area.
Scaling security for healthcare
While the large hospital environment presents many security challenges, this is only one part of the healthcare story. Primarily, healthcare delivery is through small clinics and hospitals, where the challenge is around scaling security to the individual needs of the organization.
In these environments, budget, staffing and skill sets remain primary issues. As such, these clinics and small hospitals need to take a different approach to security. Just as cloud made computing easy to access and has helped smaller businesses achieve unprecedented scale, these smaller enterprises need to shift away from in-house security investments and toward deploying industry-leading security services.
A culture of security
To move security to the center of decision making, healthcare organizations will need a cultural mind shift, supported from the highest level. Security needs to be on the board agenda, with continuous discussion about the implications and risks of underinvesting in cyber security resources and tools.
From care coordination teams to administrative staff, organizations must promote a culture that embraces cyber security and an expectation that all stakeholders will exercise discipline in how they securely use the data. To ensure that cyber security is treated as more than simply a compliance requirement in response to regulations such as HIPAA, organizations should conduct a thorough risk assessment to best determine their needs in terms of investment and preparedness. And while this should be driven from the C-suite, it’s important to ensure that all stakeholders are involved in incident response planning.
All these initiatives need to be developed around a framework that leverages best practices using a proven cyber reference architecture that aligns to key cyber security frameworks, is technology agnostic, accelerates security foundations and delivers business outcomes. An integrated cyber defense platform will offer broader benefits than deploying a collection of point solutions.
By giving careful thought to cybersecurity in terms of systems and tools, people and objectives, organizations can prepare for the changing needs of patients, highlight — and adjust for — the current security deficiencies in the old hospital system, and be ready for the Smart Hospital of the future.
George Mathew, M.D. is the Chief Medical Officer for the North American Healthcare organization for DXC. In this role, he serves as the clinical expert and healthcare thought leader to our healthcare clients in transforming the healthcare marketplace. Dr. Mathew graduated from Boston University School of Medicine and completed his residency in Internal Medicine at Greenwich Hospital/Yale University in Connecticut.