- Many findings from a recent report by the Commission on Enhancing National Cybersecurity have direct ties to the future of healthcare cybersecurity, according to Lee Kim, director of privacy and security for HIMSS North America.
The Commission is comprised of “top strategic, business, and technical thinkers from outside of Government,” the White House explained earlier this year, and will make recommendations on how to strengthen cybersecurity measures for both public and private entities.
Last week, the Commission released a report stating why cybersecurity can be difficult to achieve, and made recommendations for how a culture of cybersecurity can be properly incentivized.
“As the world becomes more immersed in and dependent on the information revolution, the pace of intrusions, disruptions, manipulations, and thefts also quickens,” the report’s authors wrote. “Technological advancement is outpacing security and will continue to do so unless we change how we approach and implement cybersecurity strategies and practices.”
Kim discussed in a blog post how the Commission’s findings relate to the future of healthcare cybersecurity.
For example, healthcare organizations often have difficulties finding enough time to assess vulnerabilities and manage them, Kim wrote. The Commission explained how products are often rushed to market, and technology companies are under significant market pressure to innovate and quickly move items to market. However, this often means that cybersecurity becomes an afterthought.
Secure coding practices, as well as better developed tools that reduce the number of exploitable vulnerabilities in software products can be greatly beneficial, according to the Commission.
“Some resources that software development companies can turn to include, but are not limited to, secure coding standards and threat modeling resources,” Kim stated. “Imagine a world where healthcare organizations can devote more time to taking care of patients instead of fighting with technology—more secure products would be a boon.”
This has also been discussed in how healthcare organizations utilize medical devices, and how security cannot simply be tacked on later in a device’s life cycle. Rather, security should be implemented from the onset.
“Frankensteined” medical devices cannot be the go to option, ICIT Co-founder and Senior Fellow James Scott told HealthITSecurity.com earlier this year.
Cutting cybersecurity budgets, procrastinating system updates, and postponing medical device updates could all lead to a healthcare data breach and compromised patient information, he said.
Cyber criminals also often have the advantage in cybersecurity attacks, Kim added in her post. The Commission noted that it is much more expensive to defend a system than it is to attack it.
For healthcare, organizations should invest in penetration testing, she suggested. This can help covered entities think like a hacker, and learn how best to defend against potential vulnerabilities in their system.
It is also anticipated that there will be an increase in cybersecurity attacks, which could change the current consumer mindset toward data security, according to the Commission. Consumers are not yet demanding cybersecurity and privacy protections, but the increase in attacks could also make consumers more aware of potential risk.
This is especially true in healthcare cybersecurity, Kim wrote, and organizations need to ensure they are investing in products and services “based upon integrated security features that a product or service should ideally have.”
“Many healthcare organizations also do not have sufficient numbers of skilled personnel on their security teams to adequately address the risks in these relatively insecure products and services,” stated Kim. “Furthermore, more breaches and significant security incidents—especially ones which may jeopardize patient safety—will likely have a negative effect on organizational goodwill and thus decrease the numbers of ‘willing consumers’ at healthcare organizations.”
This also ties into the point the Commission made about the cybersecurity workforce gap, which has also been seen in the healthcare industry.
The Commission recommended that the next President should initiate a national cybersecurity workforce program to train 100,000 new cybersecurity practitioners by 2020.
“To increase the number of qualified entry-level cybersecurity practitioners, the federal government must work with the private sector to attract more students to the field of cybersecurity,” the Commission stated in its report. “These collaborative efforts also should aim to create pathways into the field for underrepresented populations (e.g., women, minorities, and veterans) and older workers seeking career changes or hoping to leave professions with fewer opportunities.”
Overall, cybersecurity is a national issue that should be a top focus for the private and public sectors. Kim maintained that the healthcare industry can be a “model sector for cybersecurity adoption and advancement.”
“Too much is at stake for the private or public sector to delay making improvements to their cybersecurity programs,” she wrote. “These actions must be taken immediately, given the steep upward trajectory of malicious cyber activity.”