A Cross-Functional Approach
By Tom Gilheany, Portfolio Manager of Security Training & Certifications, Cisco Services
Twitter: @LearningatCisco
Cybersecurity is more critical than ever in healthcare. A survey of U.S. physicians by Accenture and the American Medical Association (AMA) found that 83 percent of physician practices have experienced some form of cyberattack, such as phishing and viruses. Seventy-four percent cited interruption to their clinical practice as a primary concern.
Ransomware also has become a risk, as attackers know health providers will pay to restore their networks as quickly as possible to avoid patient-care interruption. For healthcare institutions, the number of reported major IT/hacking events attributed to ransomware increased by 89 percent from 2016 to 2017.
The Internet of Medical Things (IoMT) poses similar challenges. Connected medical devices such as pacemakers and insulin pumps can be held for ransom, since there are currently no security standards in place for these devices.
Because the current cybersecurity environment places a heavy burden on the industry, it’s essential that cybersecurity and healthcare professionals work together, learn and develop new skills to create a secure environment.
Opportunity from two angles
Cybersecurity plays a major role in the modern healthcare industry and presents new opportunities for both those already working in healthcare and those in IT.
Existing healthcare professionals have a deep understanding of the rules laid out by HIPAA, the regulatory framework that all U.S. healthcare providers operate under. This provides significant context for cybersecurity, as HIPAA specifies rules for data privacy. They also understand the patient care environment. They can determine and prioritize potential risks to patient livelihood, to patient privacy and to other healthcare systems and services.
IT professionals also bring unique advantages, including an understanding of IoT and endpoint security – a strategic asset when securing the patient environment. These individuals can ask the security questions that medical professionals don’t know to ask. However, it’s essential that they gain an understanding of patient care and data privacy regulations in healthcare to fully mitigate security risk.
New skills needed
There are a number of aspects unique to healthcare that are essential to know to implement a strong security posture. In addition to a good working knowledge of HIPAA, securing the actual equipment, underlying software and medical devices that support patient care is critical. If a ventilator was to lose power or be hacked, it could potentially be life-threatening.
Even maintenance is a security challenge. Applying security patches to device software must be strategically scheduled to avoid interruption to patient care. In addition, there are payment-processing requirements to observe, and there’s a mandate to prevent Medicare and insurance fraud.
Other aspects of healthcare cybersecurity posture include risk management, including supply chain risk regarding the handling of Protected Health Information. Healthcare organizations often also handle government information (such as Social Security numbers and Medicare and Medicaid details) and insurance company information – as well as employment status data. It’s critical that all of this data is protected.
A cross-functional approach
A comprehensive security strategy is needed to secure the healthcare environment. It needs to include skilled talent. Well-rounded healthcare security professionals bring a blend of both industry-specific skills and cybersecurity skills. This presents a unique opportunity for cybersecurity professionals to join the healthcare industry and learn about the context of the industry. It’s also an opportunity for those already working within the healthcare industry, to train and get certified in cybersecurity. Bringing together individuals from both healthcare and IT, using a cross-functional approach, is the best way to meet the healthcare industry’s unique challenges and to best ensure the security of patients, their data and their health.