Mobile and cloud technologies, combined with big data and
advanced analytics are revolutionizing our healthcare system, making
life-saving care accessible to more patients. At the same time, the medical
sector is under constant cyberattack. The healthcare infrastructure, electronic
medical records and medical devices are all targets of malicious activity by
criminals, hacktivists and nation states. These attacks can close emergency
rooms, put sensitive patient data at risk and potentially disable medical
devices. The increasingly sophisticated and widespread nature of cyberattacks
is a growing challenge to preserving privacy and protecting patients.
Despite the
fact that four
in five U.S. physicians have experienced a cybersecurity incident, a
culture of cyber awareness and risk management has not fully taken hold across
the healthcare system. In addition, recent
research shows that many chief information officers are not following
baseline steps for patient data security—and companies are paying for this lack
of preparedness in fines and remediation costs. For example, in 2018 a major
health insurance company paid a record $16 million HIPPA fine when nine million
patient health records were exposed.
Recently,
the Department of Health and Human Services (HHS) published a series
of reports featuring cybersecurity best practices and practical, tangible
guidance for operating in today’s high-threat environment. More than 150
cybersecurity and healthcare experts contributed to the four-volumes, fulfilling a mandate set out by the Cybersecurity Act of 2015. These resources provide
voluntary guidance specific to small, medium and large healthcare
organizations. The content is crafted to appeal to every healthcare stakeholder
from the C-suite to the IT team to those on the frontlines of care.
"Health
care organizations must practice good 'cyber hygiene' in today's digital world,
including it as a part of daily universal precautions," HHS noted in a
statement.
The HHS
guidance highlights how to combat phishing, ransomware attacks, loss/theft of
equipment/data, insider accidental/intentional data loss and attacks on medical
devices. (See attached infographic). In addition, the reports provide
comprehensive recommendations across 10 cybersecurity tracks, including e-mail
protection, access management, data protection, asset management, endpoint
protection and more.
Adherence to
these guidelines will help ensure that the tremendous innovation and potential
of medical technologies is not derailed. Health information technology and
medtech offer the potential to tackle huge medical challenges, including
population health, clinical care, fundamental research, public health outbreaks
and chronic disease management. Government, businesses, health systems and
medical organizations must work together to establish and promote cybersecurity
literacy.
Healthcare
providers spend years in medical training focused on the physical threat of
illness, learning how to prevent infections and perform medical procedures with
the utmost precision. Much as healthcare organizations require continuing
medical education, organizations should ensure that staff is educated about
virtual threats and equipped in their data security roles.
In addition,
health systems and companies should communicate cybersecurity plans to
community leaders, policymakers, patients and other stakeholders to build
confidence and generate best practices. Relevant guidelines are voluntary, but
if breaches and issues continue, there will be increased scrutiny and perhaps
increased regulation and reporting requirements. Collaboration is key in
continuing to provide access to state-of-the-art care by today’s medical
technologies. Several organizations and forums exist for sharing best
practices and working together to address threats.
In the
coming months, HHS will implement its suggested cybersecurity practices across
the healthcare sector. Stakeholders should be proactive in getting ready.
Authors:
Michelle Baker, EVP, Signal Group with expertise in
medtech, hospital system communications and healthcare public affairs.
Megan Brown, Partner, Wiley Rein LLP leads the firm’s cyber practice, helping
clients across sectors manage risk and government oversight.
