Are hospitals and healthcare systems doing enough to protect against cyber attacks and cyber threats?
The punch line is this: hospitals and healthcare systems are playing major catch-up. Incentive moneys to digitise healthcare has taken priority. Historically, we have been years behind other industries in the adoption of technology, and when it comes to safeguarding healthcare information, a decade behind. In addition, hospitals traditionally view cyber risk management as an issue for their information technology professionals to manage. What we are seeing is the perfect storm emerging. Patient health is extremely vulnerable. The changing threat environment and the internet of things (IoT) is blurring lines between information security and patient safety and is requiring each discipline to expand its scope.
Healthcare leaders need to gain greater visibility into what’s happening enterprise-wide as it relates to IoT devices and proactively monitor threats across the organisation. It’s not only about the traditional IT assets such as the electronic health record system and the pharmacy and radiology systems, it’s also about biomedical devices that are attached to our patients or implanted in them. We see this as a large and growing business risk management issue, around which healthcare could be doing a whole lot more.
Medical devices today can be used in the home, across networks in hospitals, and embedded in the patient. However, many IoT-enabled medical devices were manufactured without understanding the full implications of cybersecurity. IoT-enabled medical devices can expose people, hospitals, and manufacturers to many significant risks. These risks include possible harm to a patient’s safety and health, loss of Protected Health Information (PHI), disruption of information flow of connected devices, physical interference with equipment, impact on business operations, damage to critical infrastructure, and unauthorised access to devices. Within hospitals, these devices enter through numerous channels. Any threats to the confidentiality, integrity, or availability of information represent threats to patient safety. Identifying and mitigating potential risks in legacy and connected devices is an important challenge for the industry. Many organisations are starting to take action on the cybersecurity and privacy fronts.
Hospital and healthcare systems in particular are playing major catch-up as it relates to cyber attacks, and there are opportunities for improvement. What we’ve had in the US as a result of the Electronic Health Records (EHR) incentive monies that have been awarded by the government through the 2009 American Recovery and Reinvestment Act (ARRA) is a great digitisation of our health care system. This significant investment in digitising healthcare has really taken priority over the matter of safeguarding it.
Is technology moving too fast for health systems to keep up?
There’s no doubt that the evolving pace of technology is moving too fast for the healthcare industry, but traditional approaches to patient safety and healthcare information risk management need to run alongside and evolve to address today’s technology and emerging direct threats to patients.
The fast change of technology opens the door to a wide spectrum of threats, ranging from traditional intrusions designed to steal PHI to more novel attacks, such as tampering with biomedical devices or blocking access to essential records systems. Information security has become an essential component of patient safety. Concurrently, the information needed to provide care resides in more places than ever before, including electronic health records; the smartphones, tablets and laptops carried by physicians and other caregivers; intelligent medical devices such as smart pumps, monitors and implants; patient portals; and mobile health apps, not to mention provider partners, business associates and other members of the patient care ecosystem. Safe, quality care depends on timely access to this information. Therefore, any threats to the confidentiality, integrity or availability of information represent threats to patient safety.
In large hospitals or health systems, departmental heads have a fair amount of autonomy over their selection and deployment of technology, and there are risk consequences. The IT person who is responsible for the networking and computing, applications and infrastructure is often unaware as new devices are attached to his or her networks. It’s a challenging problem for CIOs.
Hospital and Health System CIOs and Chief Information Security Officers (CISOs) must collaborate with peers to integrate their cyber or information risk management (IRM) strategy into their organisation’s overall enterprise risk management/governance, risk managament and compliance strategy. Both must become part of day-to-day operations and address the requirement to respond to inevitable cyber incidents and restore normal operations. When hospital leaders adopt an integrated IRM/ERM strategy, there can be greater returns for the organisation in terms of expanded knowledge, informed decision-making and reduced cyber risk. But, when they choose to ignore the strategic importance of IRM, the resulting complaints, breaches, failed audits or cyberattacks can erode the confidence of patients and staff, limiting the organisation’s ability to grow.
With so many areas to protect, how do hospitals and healthcare systems go about understanding cyber exposures?
First and foremost, hospitals need to do a better job of understanding their exposures. Hospitals and healthcare systems should be encouraged to look at the expanded ecosystem of the healthcare organisation and conduct a comprehensive information risk management (IRM) approach that is not a checklist. It’s a fundamental matter of identifying exposures and understanding them better. Understanding cyber exposures, it’s the starting point.
How have hospitals and healthcare systems become big targets for cyber attacks? What threats are they actually facing?
What better place is there for a bad guy to look than in health care—it’s single biggest hub for data. It’s a veritable library of our personal information and a treasure trove of that information. Not only do we have electronically protected health information, we have other personal identifiable information that includes driver’s licenses, dates of birth and, probably, payment card data.
The types of cyber threats and attacks that organisations are facing include these four categories—adversarial, accidental, structural and environmental. In doing a risk analysis, these are the four categories that are evaluated.
Of those four categories, the cyber attacker falls into adversarial. Organisations have threats in the adversarial category other than foreign nations. It might be a malicious insider, and that individual may be the person who’s siphoning and infiltrating all kinds of data from the organisation.
The accidental cyber threat can be in or outside the organisation. It can be as simple as a backhoe operator digging up a fiber optic cable that could disconnect your hospital from its electronic health record system.
Structural threats are subject to the laws of physics; we’re dealing with electro-mechanical devices there.
Environmental risks have to do with fires, earthquakes, mudslides and hurricanes. Health care can fall victim to these natural disasters.
In your opinion, what is the safest way to safeguard patients’ healthcare?
First step is to conduct comprehensive risk identification and assessment. The second step is to build a programme—not a once-and-done programme—but to adopt a cyber security framework, formal process and maturity model mentality; establishing, implementing, and maturing a programme.
The only way you can do this is if you understand what your exposures are. The most effective way is at a very operational level, by adopting a comprehensive, accurate risk analysis. This way you will gain a better understanding of your exposures and be able to address importance compliance.
Building a programme that adopts a cyber security framework, adopting a process and maturity model mentality, is showing continuous process improvement. This work needs to turn into establishing, implementing and maturing the programme.
Hospitals must be very wary of a “control checklist”. Controls are a guide and source of actions you might take when, and only when, you understand what your exposures are. In the absence of that, you may be overspending or you may be woefully under-protecting your information assets. So you need to be wary of control checklists.
Checklists will tell you to implement encryption, a firewall, data leak protection, a strong malware system and a good training programme, but if you have limited resources, how do you know in what order you should implement those? You will only understand that when you know your exposures.
How can a captive help solve the problem?
It’s about revenue and reputation and regulation … what we are seeing is that privacy/cyber risk is bleeding into professional liability issues.
A captive structure can be the keystone to a healthcare organisation’s risk management strategy. Captives have long been a haven for funds used to finance risk.
But, difficulties in measuring cyber exposures and concerns over the size of the exposure are still holding many captive owners back. Rather than securing funding to address the after-effects of a cyber attack, organisations should understand how a captive can be used to provide grants to the captive owner for reducing cyber risk and improving patient safety through training, periodic risk analyses and compliance assessments.
Do you think there should be more regulation in terms of cyber security for healthcare to make sure these big organisations understand their cyber exposures?
I’m not a fan of more regulation. The issue here is enforcing the regulations that already exist, implementing more accountability.
If anything, I would tweak the regulations around accountability. The mantra of health care is “first, do no harm”. All we need to do is move this newly created matter of creating harm onto the agenda of those people who have, naturally and historically, been risk managers.