Mobile and cloud technologies are revolutionizing our healthcare system, making life-saving care accessible to more patients, but the medical sector is under constant cyberattack.
Mobile and cloud technologies, combined with big data and advanced analytics are revolutionizing our healthcare system, making life-saving care accessible to more patients. At the same time, the medical sector is under constant cyberattack. The healthcare infrastructure, electronic medical records and medical devices are all targets of malicious activity by criminals, hacktivists and nation states. These attacks can close emergency rooms, put sensitive patient data at risk and potentially disable medical devices. The increasingly sophisticated and widespread nature of cyberattacks is a growing challenge to preserving privacy and protecting patients.
Despite the fact that four in five U.S. physicians have experienced a cybersecurity incident, a culture of cyber awareness and risk management has not fully taken hold across the healthcare system. In addition, recent research shows that many chief information officers are not following baseline steps for patient data security—and companies are paying for this lack of preparedness in fines and remediation costs. For example, in 2018 a major health insurance company paid a record $16 million HIPPA fine when nine million patient health records were exposed.
Recently, the Department of Health and Human Services (HHS) published a series of reports featuring cybersecurity best practices and practical, tangible guidance for operating in today’s high-threat environment. More than 150 cybersecurity and healthcare experts contributed to the four-volumes, fulfilling a mandate set out by the Cybersecurity Act of 2015. These resources provide voluntary guidance specific to small, medium and large healthcare organizations. The content is crafted to appeal to every healthcare stakeholder from the C-suite to the IT team to those on the frontlines of care.
“Health care organizations must practice good ‘cyber hygiene’ in today’s digital world, including it as a part of daily universal precautions,” HHS noted in a statement.
The HHS guidance highlights how to combat phishing, ransomware attacks, loss/theft of equipment/data, insider accidental/intentional data loss and attacks on medical devices. (See attached infographic). In addition, the reports provide comprehensive recommendations across 10 cybersecurity tracks, including e-mail protection, access management, data protection, asset management, endpoint protection and more.
Adherence to these guidelines will help ensure that the tremendous innovation and potential of medical technologies is not derailed. Health information technology and medtech offer the potential to tackle huge medical challenges, including population health, clinical care, fundamental research, public health outbreaks and chronic disease management. Government, businesses, health systems and medical organizations must work together to establish and promote cybersecurity literacy.
Healthcare providers spend years in medical training focused on the physical threat of illness, learning how to prevent infections and perform medical procedures with the utmost precision. Much as healthcare organizations require continuing medical education, organizations should ensure that staff is educated about virtual threats and equipped in their data security roles.
In addition, health systems and companies should communicate cybersecurity plans to community leaders, policymakers, patients and other stakeholders to build confidence and generate best practices. Relevant guidelines are voluntary, but if breaches and issues continue, there will be increased scrutiny and perhaps increased regulation and reporting requirements. Collaboration is key in continuing to provide access to state-of-the-art care by today’s medical technologies. Several organizations and forums exist for sharing best practices and working together to address threats.
In the coming months, HHS will implement its suggested cybersecurity practices across the healthcare sector. Stakeholders should be proactive in getting ready.
Michelle Baker, EVP, Signal Group with expertise in medtech, hospital system communications and healthcare public affairs.
Megan Brown, Partner, Wiley Rein LLP leads the firm’s cyber practice, helping clients across sectors manage risk and government oversight.