A Better Healthcare Cybersecurity Blanket

By Ryan Hamilton, Chief Technology Officer, MacroHealth
LinkedIn: Ryan Hamilton
LinkedIn: MacroHealth

Change Healthcare will do exactly what its name says: change healthcare. While its mission statement is noble, the immediate industry-wide changes stemming from the recent cyberattack that it fell victim to, are shining a spotlight on an issue that has plagued healthcare: cybersecurity. Both payers and providers are watching this industry giant closely as it pays hackers millions of dollars; executives from these organizations wonder what they can do to ensure they aren’t next. While there is no one-size-fits-all solution to counteract all cybersecurity threats, there are ways to increase protection and resiliency. While companies may not be publicizing their latest protective measures in reaction to this hack, below the surface, action is underway.

Healthcare companies aren’t toddlers, but they do need a security blanket. Think of an organization’s cybersecurity like a quilt. Vectors, the soft spots hackers exploit to enter an organization’s network, are the seams, and the patches are all the additional software and products being added to an organization’s IT infrastructure, like new vendors. In a world of increasing solutions integrated into healthcare organizations, its quilt gains more patches and, ultimately, more seams, vectors, and soft spots.

The challenge is protecting those seams. In the wake of the Change Healthcare hack, that’s what payers and providers are analyzing. Their cybersecurity strategy will need to be prepared to answer these four core questions when examining their security:

  • How can I proactively protect my systems?
  • How can we identify a breach?
  • How do we respond?
  • How will we mitigate the damage?

The answers to these questions are different for everyone and must be addressed with great care. Incorrectly tackling cyber security risks can lead to further vulnerabilities. Organizations must also understand cybersecurity is a journey, not a destination. They will constantly need to dedicate resources to keep its IT infrastructure safe.

What can be done to protect the data of the healthcare industry?

Secure IT Infrastructure: Ensure a healthcare organization’s IT infrastructure meets industry standards. One way to do that is by becoming HITRUST certified. HITRUST is expansive and can seem overwhelming; however, organizations start with the domains and controls that provide them the best, immediate protection and then expand over time. While it may be a challenge to acquire for some organizations, it is the gold standard for the healthcare industry.

Interoperability: With vendors of payers and providers working together, the actual interoperability of vendors is rarely a problem for cybersecurity. It is the lack of interoperability standards between different systems that creates security risks. Organizations can leverage industry standards where possible to reduce the cost and complexity of protecting their seams. In doing so, they must also properly vet their trading partners to ensure they meet the organization’s minimum security standards. Where possible, look to unified platforms to minimize the depth and breadth of point-to-point integrations.

Look within: Regarding cybersecurity, internal threats are just as likely as external threats. Ransomware attacks often start internally within the organization, either through phishing attacks or through any number of IT infrastructure vulnerabilities. Some 80% of data breaches stem from a human element. So, yes, those fishing test emails are important.

Standardization incentives: Federal and state lawmakers are undoubtedly paying attention to a hack that compromised the data of so many patients. Since there is no one-size-fits-all solution, further regulation may not be the solution; instead, legislators could consider creating incentives. This could include providing financial motivations for organizations to adhere to known security standards faster.

Cybersecurity is an investment. It is something that any organization that is remotely close to healthcare data must do and must do well. There will always be seams in any healthcare organization’s security blanket––seams that payers and providers alike must protect. As hackers become more creative, this industry must collectively find ways to better protect against the next hack.