How to better balance imperatives for speed and security
The Golden Hour puts a premium on prompt treatment. Security practices can eat up precious time, but ignoring them can lead to higher hacking risks.
Healthcare professionals refer to the first hour after a patient suffers a traumatic medical incident as the “Golden Hour.” Whether or not a patient receives care during this brief window is one of the best indicators of whether they will recover.
For example, if a stroke victim does not receive treatment within the first hour, their chances of making a full recovery drop significantly. The same is true for patients who have suffered a serious injury or otherwise have been involved in an accident. Any EMT will tell you that the first hour is critical. Get to them fast, get them stable fast, and get them to a hospital fast. The Golden Hour is crucial to recovery and staying alive.
This is surprisingly relevant to cybersecurity. As healthcare technology has become increasingly digitized, cybersecurity has grown into a top-level concern for hospitals and other care facilities. Unfortunately, security always comes with trade-offs, often in the form of friction.
Each new login portal takes time to navigate, and waiting for (and entering) a multifactor authentication (MFA) token can also take several minutes. Steps like these may not add significant time on their own, but the longer it takes healthcare professionals to access health records, diagnostic services and other resources, the less time they have to treat patients before the Golden Hour is up.
Navigating this dilemma can be a challenge for today’s healthcare providers, and striking a balance between security and accessibility is essential.
The importance of security
Strong cybersecurity is particularly important in the healthcare industry for obvious reasons. Healthcare providers collect a significant amount of information from patients, including personally identifying information (PII). Data like contact information, dates of birth, addresses and Social Security numbers all fetch a decent price on the dark web, and financial information like credit card or bank account numbers can be even more valuable.
But for hackers, personal health information (PHI) is very valuable — particularly because you can’t change your medical history. This exposes consumers to blackmail or discrimination based on information completely outside their control, and patients may be increasingly hesitant to share their medical history with providers if they feel it is at risk of being exposed in a data breach.
This is a major reason why healthcare stands as one of the most heavily regulated industries. For example, while the Health Insurance Portability and Accountability Act (HIPAA) is best known for helping to secure privacy rights for individuals and their medical histories, it also establishes clear data security and privacy guidelines for healthcare providers to follow.
Organizations responsible for HIPAA violations can incur fines of more than $2 million per year, and if a violation is found to be the result of willful neglect, it can even lead to jail time for the individuals at fault. And while HIPAA is the statute most directly applicable to healthcare, there are plenty of other compliance frameworks with which providers may need to comply — after all, healthcare is not exempt from SOC 2 or ISO 27001 guidelines.
Attackers exploit the Golden Hour
Unfortunately, this need for security often butts awkwardly up against the expediency inherent in the Golden Hour, forcing healthcare organizations to choose between faster treatment or stronger protections.
For example, imagine a hospital that uses security controls that take approximately two minutes to navigate. That may not sound like much, but consider how many medical professionals with whom patients entering an emergency department might interact. They might see an intake coordinator, a nurse, lab worker and a doctor. They might be referred to a specialist or start with an anesthesiologist. If there are two minutes of security controls to navigate each time, the patient has already lost nearly 12 minutes of that Golden Hour. If it took the patient 30 minutes to reach the hospital, that hour is quickly closing. Security is important, but every second matters in healthcare.
Worst of all, attackers know this — and it has made healthcare organizations a prime target for ransomware attackers. These attackers specialize in encrypting data and causing service outages, refusing to relent until their payment demands are met. Every minute a facility cannot provide treatment is a minute that could result in complications or worse.
This means healthcare organizations are highly motivated to pay ransoms, and pay them quickly. It’s a tricky position for healthcare companies to be in. Too much security can make systems difficult to navigate, resulting in treatment delays. Not enough security risks giving attackers an easy target. The specific demands placed on healthcare companies require a balanced approach.
Making the right decisions
But how can hospitals and other care facilities achieve that balance? Everything comes with tradeoffs, and different organizations will make different choices regarding what is right for them. Maybe that means not requiring MFA on hospital WiFi connections or limiting the reach of those connections. Maybe it means using physical tokens to accelerate the login process without compromising security.
Different choices will work for different facilities, and it’s important to consider the positives and negatives of each option before making a decision. The second article in this series will discuss some of those options and the advantages and disadvantages of each, hopefully helping hospital administrators and security teams better understand the options available to them while providing the absolute best care to their patients in the process.
Nick Kathmann is the chief information security officer of LogicGate.