Four Cyber Security Weak Spots You Should Care About When Others Dont

by Marc Probst, CIO & VP, Intermountain Healthcare

As evidenced by the malware-induced breach at Banner Health and the ran­somware attack at Hollywood Presbyte­rian earlier this year, cyber criminals are continually targeting healthcare organizations. The financial and reputational costs of a breach can be im­mense and often those costs are n't fully realized for several years after the event as regulatory findings and fines are rarely immediate. The cost of a breach has significant impact on the cost, access, and safety of care. I see four areas where we in the industry should be increasingly vigilant - un­checked adoption, implementation of consumer tools, Internet of Things (IoT) leakage, and government in­volvement.

Unchecked Adoption

As more and more apps and tools for caregivers’ smartphones become available, organizations must enforce policies and standards to avoid possi­ble data loss. Caregivers are necessar­ily innovative and, if a tool will make their jobs easier, they are likely to use it. A good example is cloud storage it’s entirely convenient for accessing files, but the ramifications of commingling personal and care related information is not inherently addressed in these applications and tools. Unchecked adoption of shadow apps and systems as well as BYOD issues are common causes of data loss. Helping caregiv­ers understand that implementing new tools has potential risks for your organization and for them personally is difficult. However, organizations must have mechanisms in place so that clinicians can make recommen­dations for the tools and systems they want (and often need) and an efficient vetting process that seriously consid­ers the recommendation and "closes the loop" with the clinician. It’s not enough to just say no; you’ve got to work with the busi­ness to address the needs.

Implementing Consumer Tools

Smartphones aren’t only in the hands of clinicians. Patients are also eager to connect with healthcare through taps and swipes. However, safely and securely implementing con­sumer facing apps that touch vast amounts of healthcare data and actually provide value to the patient presents its own set of concerns. The increased traffic and access to data increases the likelihood of a breach if sufficient con­trols are not in place on the device or within the app. Con­necting apps together and sharing data between them also presents many security issues that must be resolved in the development process. A strong expectation of vendors to uphold your security requirements as well as reviews of their Secure Software Development Life Cycle (SSDLC) programs are important parts of making application pur­chase decisions.

Internet of Things (IoT) Leakage

IoT devices are entering healthcare at an increasing rate. Many of these devices lack needed encryption or have potential fail points that can be exploited by crafty cybercriminals. In order to make certain that patients’ data (and the patients themselves) are safe from this type of leakage requires a set of security standards that the industry doesn’t yet have. Without standards these devices will continue to be developed in isolation, which only increases the chances that proprietary code can’t be efficiently monitored by cybersecu­rity professionals. I’ve long advocated for standards for data exchange, but similar attention needs to be payed to security. If you can’t monitor devices consistently and appropriately they’ll easily become revolving doors for cybercriminals to enter your organization.

Government Involvement

An increasing number of public sector cyberattacks have has­tened the cybersecurity conver­sation by legislators and inves­tigative agencies - that’s very promising. More than ever, it’s time for the government to work with the healthcare in­dustry in a collaboration that can help to reduce cyber risks. Together we can look at the problem holistically, and put practices in place that support each other while identifying criminals and appropriately penalizing them. Recently there has been media chatter about the new administration's thoughts on cybersecurity for the nation; healthcare needs to hold its place at the table, making sure that security policy helps rather than hampers healthcare organizations.

Whether or not the Accountable Care Act is disman­tled in the coming months won’t significantly change cy­bersecurity in healthcare. The need to protect the mas­sive amounts of data with which we are entrusted has always been and remains critical. In the past, decisions about cybersecurity were largely made in the data center, but today those decisions are more often guided by board expectations and overall risk tolerance. As the industry continues to look for ways to increase access to safe, quality care, technol­ogy will be a major player. That’s why it’s important for healthcare CIOs and CISOs to educate other executives, employees, and consumers about the importance of a sound cybersecurity strat­egy that monitors, detects, and mitigates the risk of cyberattack. Cybersecurity is a collabora­tive effort that involves IT, the business, the patient, caregivers, and the government. If we can educate and promote best prac­tices amongst those players, than we’re likely to continue moving healthcare forward, increasing access and safety while decreasing costs. Fail­ure to create secure processes and systems will only continue to increase costs and risk, and reduce access.