Recent security breaches instigated by hackers targeting the healthcare industry, particularly health insurance providers, are focusing our attention on the range of challenges faced in the securing of confidential patient data.
Myriad security issues were recently discussed by senior healthcare security executives representing five major hospitals and the HIMSS Foundation in an industry forum, “Cybersecurity in Healthcare: The Growing Challenge of Securing Patient Data”, conducted in Washington, D.C. on October 6, 2015. The panel discussion was in-depth and lively, demonstrating real-world security experience within the healthcare industry, as well as with other government agencies, the military, and private sector businesses.
According to the HIMSS Foundation, we know that cybersecurity attacks are almost always the result of:
- Nation-state actors and organized cybercriminals
- Negligent and/or malicious insiders
- Phishing attacks
- Malware (e.g.: ransomware which has greatly increased!)
- Botnets (e.g.: attacks on command & control servers; denial of service attacks etc.)
Not only is the complexity of technical issues an ongoing challenge, but a key ‘take-away’ from this forum was the variety of underlying human factors that must be addressed in the delivery of state-of-the-art data security and in successfully solving multiple types of security problems.
Internal security threats, such as negligent, incompetent, or malicious actors within an organization, must be routinely identified and swiftly neutralized. But getting pro-active ‘buy-in’ from an organization’s board of directors and senior executives to commit appropriate and sufficient resources to data security infrastructure continues to be a big challenge. Often senior management does not recognize the seriousness or complexity of security requirements until an attack has taken place and damage has been done. Hard lessons are learned from handling data security in a re-active rather than a pro-active manner. And because technology innovation continues to outpace security innovation, keeping up with product lifecycle management is critical and will become a vulnerability to organizations that are not vigilant.
System sophistication and security capabilities must grow across the nation, particularly in bringing the highest standards of healthcare providers in urban centers to more isolated rural providers. As well, “lessons learned” should be routinely sought out. Active lines of communication should be established and maintained, not only within the healthcare sector, but with other sources of critical infrastructure such as federal government departments, key state agencies, and private sector organizations.
“Who are the most important players in healthcare security; who needs to be part of it?” This question was answered succinctly with the need for up-front collaboration and information sharing by the healthcare organization’s Board, C-Suite members and attorneys, the ONC (HHS, Office of the National Coordinator for IT), physicians and technologists, and the larger clinical community; in other words, “Everyone”. The role of the federal government is to protect critical infrastructure, deter cyberattacks through various means including diplomacy, and to secure our “healthcare borders”, which is a priority at the forefront of public policy.
One thing is certain, the adoption by healthcare providers of baseline, measurable standards is needed to secure data, establish and maintain trust, and safely share patient data between disparate systems.