- Organizations of all sizes need to be working toward maintaining proper data privacy and security measures in the healthcare industry. The threat landscape is continuously evolving, and falling behind could lead to a large-scale data breach.
Healthcare entities need to realize that the industry is highly targeted, and then need to create a culture of knowledge around cybersecurity, according to The George Washington University (GW) Health Informatics Master’s Program Director Sam Hanna. This is a critical first step in organizations being able to prevent, detect, and protect against cyberattacks.
Housed at the School of Public Health at GW, Hanna said his school also known as the Milken Institute School of Public Health.
“Our approach, and the way we designed this program, is to have more of a holistic, managerial approach to the concepts of health informatics and big data in the healthcare field,” Hanna explained. “I often speak to students, and we discuss the fact that we are not talking about just the computer science aspect of it but also how to manage the strategy of big data.”
It’s also important to review ways to actually apply big data to solve problems, he added. It is not enough to address things that are apparent, but also focus on areas that can be planned for and anticipated for in the future.
“Organizations need to develop robust training to address cybersecurity issues,” he said. “They need to educate their clinicians, operations, and administrative staff, and they need to really improve their own IT and security operations, and that includes hiring the right staff.”
Inadequate security staff training is a problem that cannot continue to occur. Whether it is due to budget issues or cost constraints, or due to a lack of focus on the area, this is an area that needs to change if healthcare is going to be able to adapt to and prevent attacks.
Proper data backup is also essential, he stressed.
“If a cyberattack happens, and they hold your information ransom, well, you can pay the ransom, or you can restore your data from a very recent, timely backup,” Hanna explained. “And then you don't really need to worry about it in terms of continuing operations.”
“Those are the kind of things healthcare organizations need to be thinking about, and that seems to resonate with them.”
Maintain awareness of the evolving healthcare sector
Cybersecurity and the culture of privacy and security that often is lacking in the healthcare area has been a larger issue for some time, Hanna maintained.
“I've spent about 20 years in the private industry and in the consulting world, basically dealing with clients, providers, payers, and pharma around issues that affect their [cybersecurity] strategy,” he said.
“What organizations have really been realizing, especially lately with the increasing cyberattacks and compromises, is that healthcare has evolved to be an industry that's so interconnected and so dependent on technology that you cannot separate patient care form the technology itself.”
Billions have been spent on implementing electronic medical records, patient portals, and other technological features. Unfortunately, not much effort or attention has been paid to the concept of security and privacy, Hanna pointed out.
“Even though we talk about protecting patient data and not giving patient information to people without signing a consent form, for example, we as an industry are just now realizing how important and how data-driven we are,” he said. “That's been evident with some of the recent breaches where, basically, hospitals have been brought to their knees. Where doctors and nurses cannot see or treat patients because they have no access to the tools that they need.”
From there, physicians may not have access to records, Hanna observed. Providers may not have access to anything that determines drug interactions, and these organizations have to revert to paper.
One problem that also stems from this scenario, with newer generations in particular, is that those physicians or clinicians do not know how to use paper. They were never trained to use paper records, Hanna explained.
“Now you have hospitals that are basically at a standstill,” he said, noting the MedStar Health ransomware case from March 2016.
Cyber criminals are trying to disrupt operations and benefit from the situation financially, Hanna continued. There are also several reasons why healthcare is an increasingly common target.
“Cyberattacks really happen in the healthcare field because healthcare is an industry that's overflowing with data,” he said. “Information is abundant, sensitive, and it's often not appropriately secured. The healthcare sector also lacks the security skills and the staff to manage these security operations.”
Other industries, such as the financial sector, have been well ahead of healthcare with preparing for cybersecurity attacks. However, there is also a general lack of awareness and training about aspects of cybersecurity from a cultural standpoint, he added.
Social engineering attacks, such as phishing, are often successful because individuals are not properly trained to recognize or respond properly to it.
“That's something that really can only be addressed with further education and training within that group,” Hanna stressed. “Also in healthcare, many of the existing legacy and IT systems are still in use. Those require a lot of upgrading and improvement in technology, and that does not happen as fast and the technology is moving.”
Healthcare organizations also need to be thinking about business continuity planning and disaster recovery planning, he advised. That includes backing up data, knowing how to restore it, enabling remote backups, and having hot sites.
“These are the kind of things that organizations can do address,or at least prepare for cyberattacks,” Hanna stated. “I say prepare because I don't think cyberattacks are going to end. They're always going to be changing and morphing, but we also have to be planning for and adapting to them as they happen.”
How connectivity impacts the industry
Hanna explained that GW recently developed a course on the Internet of Medical Things (IoMT) and connected devices for the Master’s in Health Informatics. The course includes discussion on how there are a lot of new tools, technologies, and devices that “will be coming down the pike.”
Company founders that are making new innovations often focus on the product itself, and what it’s going to do, he said. Oftentimes, they will forget about the security aspect of the product or device.
“It's almost about speed to market,” he cautioned. “Who's going to plug it in first? And then they go back and try to add a layer of security on top. That is really not the most optimal approach because by doing that, and with the propagation of these devices all the time, we're going to see a deluge of these very soon.”
If devices are not secured or protected, then they will potentially be leaking data or even PHI to anyone who has the technological skill to be able to hack that device, Hanna said. This is an issue for the entire healthcare industry.
“Startups and companies that are looking to create devices or looking to work in the IoT space should always keep security in mind,” he stressed. “These companies should always think of that in the design stage of the product, not after it's been sold or after it goes to market. We're seeing an improvement, but we're not quite there.”
Focusing on regular employee training
Healthcare has been behind in understanding cybersecurity and then also doing something about it, Hanna explained. There are a lot of training programs and lots of employee education occurs, but they often skim the surface of what cybersecurity actually is.
These programs will often cover having policies in place or telling employees to not share passwords, but those are “elementary steps.”
“What we need to do as an industry is to further educate about cybersecurity and also build that as a component in our education system as we develop clinicians, as we develop administrators, as we develop staff in the field,” he said.
“For example, in our Health Informatics Master's Program degree here, we build cybersecurity into the core curriculum,” Hanna continued. “We talk about it not just in terms of practice but also in terms of regulations, in terms of what needs to happen from a regulatory standpoint, from an implications standpoint.”
From there, it’s important to talk about steps that all stakeholders – providers, payers, pharma, biotech, new startups working in the field – need to take.
Patient education is also essential, Hanna stated. Patients must be aware of their rights and responsibilities in terms of privacy and HIPAA, but also in how to best use and protect their own medical records. Oftentimes, patients may have access through a patient portal, but certain issues and cyber attacks could even happen through inadequate training on the patient side.
Overall, healthcare cybersecurity requires a comprehensive approach from all levels within an organization, Hanna concluded. Without a culture established around privacy and security, it will be difficult to properly prepare for the evolving threats.