Prioritizing cybersecurity to enable better health outcomes
By: Tim Meyers, Vice President, Federal Cybersecurity and Jason Tone, Senior Vice President, Federal Civilian and Health
This article originally appeared in G2xchange, which you can find here.
It has never been more clear that the strength of our nation’s health infrastructure is critical to our ability to remain competitive globally and meet the needs of the American people at home. For government agencies to be successful in strengthening that infrastructure – and contributing to better public health outcomes in the process – they must embrace modernization and commit to securing the data and systems that comprise the IT foundation of public health.
To do so, federal agencies must prioritize cybersecurity, shifting its focus from not only being part of the IT discussion but to being an imperative at the beginning of any IT investment decision. While data security has been front and center in the health IT systems sphere, federal agencies now must go several steps further: ensuring that data and systems are fully secure at every point of collection, sharing, and management across the entire healthcare ecosystem, from patient to provider and all systems in between. And this, ultimately, has a vital role to play in contributing to better health outcomes.
Recognizing health information security vulnerabilities — and their impact
While it has long been understood that data security breaches can have a negative impact on health outcomes, a Ponemon Institute study released last month revealed pervasive and devastating impacts of network attacks on healthcare. The study found that 89% of the surveyed organizations experienced an average of 43 attacks over the past year (almost one per week) and that the attacks are now routinely impacting (or at least associated with an impact on) patient safety. In fact, the study found that more than 20% of surveyed healthcare organizations that had experienced a ransomware attack or other IT compromise also experienced an increase in mortality rates.
To address these potentially devastating impacts, health agencies need to recognize where they are vulnerable. While major data security challenges facing federal health agencies evolve as rapidly as cyber attackers devise new ways to breach security protocols, several key vulnerabilities open the door to these threats and should be addressed as part of health infrastructure modernization plans.
Perhaps the most critical of these vulnerabilities is the pervasiveness of antiquated IT systems. Not only are these systems more prone to bugs and outages, but the more legacy IT and code an agency or clinic has, the more complex it becomes to secure a rapidly growing number of interconnected devices and applications (e.g., the Internet of Medical Things). In addition, the growing proliferation of health data privacy concerns among both patients and healthcare providers and facilities is informing the need for increased levels of security. Add to that the massive increase in the number of data inputs required to effectively deliver government-led public health programs – with each data input needing to be secured. For programs managed by federal agencies and executed at the local level, data from inputs by individual users and local clinics may be sent to program-level repositories and then transmitted to federal agencies and contractors for analysis and reporting. This is just one example among many that adds up to exponential increases in data flows that must be secured at every stop along the way.
In addition, the people charged with securing health data and systems can be both an asset and a vulnerability. Wide variations in the size and robustness of IT departments and capabilities at healthcare organizations make them prone to cybersecurity weaknesses. Particularly at smaller clinics within the healthcare ecosystem, a lack of staff awareness and training around cyber attacks like phishing, ransomware, and social engineering tactics is common. It can erode trust and decrease the effectiveness of public health programs and outcomes.
Identifying actions to improve cybersecurity and health outcomes
Health organizations can help address these vulnerabilities by building cybersecurity into the very foundation of IT infrastructure. While cyber-attacks impact patient health and safety, ensuring cybersecurity can, in turn, help promote better health outcomes. Several key priorities can help begin shifting the tide:
Address cybersecurity from the start — and integrate it with user experience
IT departments should engage with cybersecurity experts at the start of all IT decisions to ensure that modernization efforts are designed with a foundation that prioritizes data security and availability alongside maximizing user experience. A specific example: when IT departments engage with user/customer experience experts up front, they can work together to balance the experience of patient access portals with cybersecurity needs. Securing user access points at the right level with the appropriate communication signals to users that they can trust the security measures they are asked to take and understand why they are needed – helping to ensure that patients, providers, and others continue to use these resources as intended. And developing those applications alongside cybersecurity experts gives IT teams the assurance that the applications they are deploying are hardened against attacks from the get-go. This is not to say that they will never become vulnerable, but this is where resources and training come into play (more on that below).
Improve patient trust — by implementing Zero Trust
By implementing a Zero Trust Architecture (ZTA) for cybersecurity, health agencies and organizations can effectively increase patient confidence in exchanging medical information. The benefits of this can have a cascading impact, ultimately helping to ensure that more patients are willing to provide personal health data and engage with public health programs more of the time – leading to better health data acquisition, knowledge, and potentially better health outcomes.
Implementing ZTA successfully, however, is a significant undertaking – and one that requires shifting mindsets and understanding of why the effort is worth the outcome. For instance, consider how ZTA will practically impact work life. With identity management as a core component of ZTA and required by each ZTA pillar, this requires regular revalidation of every employee’s login credentials. While this may be time-consuming for all and annoying for some, the outcome is the assurance that no one logging into the health organization’s IT system is a hacker. Now let’s look at what happens when someone’s login credentials are stolen. With ZTA, isolation policities and microsegmentation ensure that those stolen credentials will only authorize access to a tiny portion of the network and system. By reducing and isolating the attack surface, the enterprise will be considered more secure, and the cyber risk posture will be significantly improved. The result? A safer cybersecurity ecosystem, which in turn ensures a more trusted provider-patient relationship.
Shift the culture — and the resources
Understanding that every person in the healthcare organization – from IT department manager to MRI technician to front desk appointment setter — has a role to play in defending health data against cyber threats requires further shifts in culture and attitudes – and the resources needed to see it through. Implementing standardized, staff-wide training and IT department cybersecurity measures should be a priority to enable a first line of defense against common and rapidly evolving threats and to help all employees understand that they are an important part of that line.
Resources should also be prioritized for continuous monitoring and remediation measures, enabling identification of gaps in an organization’s security posture. By introducing these capabilities, everyday vulnerabilities are discovered and reported. These help maintain compliance with government laws and regulations, to be sure, but they also ultimately ensure that patient data is as it shout be: available and secure.
To be sure, identifying organizational vulnerabilities and putting in place the right actions to address them all comes back to the patient. From devices to prescriptions to medical history, a secure IT infrastructure ensures that data is available when and where it is needed to enable timely care. In some cases, this can indeed make the difference between life and death. Ensuring data security quite literally keeps small clinics, large healthcare orgs, and the federal agencies that guide and govern them up and running – so they can efficiently and effectively (and without outages or disruption from cyberattacks) do what they are ultimately charged with doing: ensure positive health outcomes.