Healthcare Security & Privacy

tw-Security

tw-Security

Cybersecurity in healthcare: The critical connection to patient safety

With interoperability on the rise, it’s important for CIOs to implement cybersecurity measures and uphold patient safety in a threatening digital landscape.



Cybersecurity can feel like a life-or-death issue with regards to patient safety which can keep CIOs awake at night.

Some hospitals have been offline for days after a cybersecurity event, raising serious patient safety concerns. And sometimes, such an interruption may have dire consequences and trigger lawsuits.

For example, an Alabama woman whose 9-month-old daughter died filed suit against the hospital where she was born, claiming the facility did not disclose that its computer systems had been crippled by a ransomware attack, which resulted in diminished care that led to the baby’s death.

Thankfully, CIOs and other senior executives are becoming far more open to implementing cybersecurity controls as a result of the heightened awareness of patient safety issues.

Aligning with the strategic goals

As always, CIOs need to find ways to tie requests for funding of enhanced controls back to an organization’s strategic goals. And one obvious goal is ensuring patient safety.

To minimize the risks technology can pose to patient safety, CIOs need to take a leadership role, making sure their organization takes several steps, many of which are often overlooked. These include the following:

  •  
  • • Conducting frequent security awareness training for all staff members.
  •  
  • • Using state of the art tools and technology to monitor behavioral patterns and detect problems in audit logs before it's too late. 
  •  
  • • Performing a ransomware readiness assessment. 

A ransomware readiness assessment is a more in-depth analysis, an expansion of what many organizations already do for their risk assessment. These readiness assessments can spot vulnerabilities that can be mitigated now rather than lamented later after lawsuits have been filed in the wake of a breach.

Cyber insurance companies are tired of paying out claims. As a result, they’ve enhanced their policy renewal questionnaires. One of the questions we frequently hear from these insurers now is, “Have you conducted a ransomware readiness assessment?”

Other action items

Because so many bad state actors and criminals are targeting the healthcare sector to take advantage of so many possible points of infiltration, it’s important to take steps to help prevent and detect breaches, prepare for incident responses, implement recovery plans and take other steps to assure readiness.

Prevention

  • Implement updated technical controls, including endpoint detection and response (EDR) and managed detection and response (MDR) to cope with today's threat environment.
  • Require multifactor authentication for remote access to email, the corporate network and cloud-based systems. 
  • Provide regular security awareness training for the workforce, include regular internal phishing campaigns. 
  • Implement a consistent and vigilant vulnerability and patch management program. 
  • Deploy privileged access management.
  • Detection

  • Implement Security Information and Event Management (SIEM) and make sure your audit logs are collecting all relevant data. 
  • Implement auditing and monitoring using artificial intelligence or user behavioral analytics to keep tabs through real-time monitoring. Outsource log monitoring to security professionals if the organization's security team is too small. 
  • Engage a managed security service provider to monitor the organization's network and systems around the clock. 
  • Response

  • Accept that a compromise is likely (or is already in play) and focus on due diligence, including how to effectively respond, when it happens. 
  • Create incident response procedures, playbooks and plans.
  • Have a well-defined incident response team and know how to contact the participants via an alternate communication channel.
  • Remember: “It’s not the event, but your reaction to the event that people will remember the most.”

    Recovery

  • Diligently perform data backups, test restores and rehearse disaster recovery plans.
  • Make sure up-to-date business continuity and disaster recovery plans are in place.
  • Assurance

  • Test your incident response capability (plans, playbooks and procedures) through a tabletop exercise that includes both technical staff and executives. Then incorporate "lessons learned" when refining response plans.
  • Purchase cyber insurance, being careful to buy a policy that best meets and organization's precise needs.
  • Set up an agreement or retainer with a forensic company in case its services are needed. 
  • Senator Warner’s white paper

    In a detailed report, “Cybersecurity Is Patient Safety,” issued late last year, Sen. Mark Warner, D-Va., summed up important issues:

    “Although … cybersecurity vulnerabilities certainly leave healthcare organizations exposed to patient data theft, they often have far-reaching, and more serious, impacts beyond privacy concerns. Cyberattacks can be detrimental to patient safety, as they can lock physicians out of treatment tools, shut down hospital equipment used for care, and create backlogs that delay appointments and treatment. When it comes to cyberattacks affecting patient care, the question is no longer a matter of if or when, but how often and how catastrophic the consequences.”

    Cybersecurity needs to be treated as a cost of doing business, and that cost needs to be reflected in Medicare reimbursements. The problem with healthcare cybersecurity is that it is usually part of the IT department budget, which is overhead to the hospital or clinic. Anyone who works in healthcare will tell you that when it is budget planning time, patient care departments and services take a higher priority than departments that are considered mere overhead, such as IT. This is normal because the mission of healthcare is to treat patients.

    The federal government has expectations when it comes to data and information sharing, creating more opportunities for data breaches. If the government is promoting data sharing, then it has an obligation to help cover a portion of the costs associated with sharing data securely.

    Cybersecurity is essential to patient safety. It is a cost of doing business in the healthcare sector. And CIOs will sleep better at night if they win support for the people, processes, and technologies needed to keep systems reasonably secure.

    Tom Walsh, CISSP, is founder and managing partner of tw Security.

    More for you

    Loading data for hdm_tax_topic #patient-experience...