Understanding the Risks, Complexity of Healthcare Cybersecurity

August 16, 2021 - From the fields of Fenway Park to the halls of the emergency department at Beth Israel Deaconess Medical Center in Boston to the classrooms of the University of Florence in Italy, Dr. Sean Kelly is on the forefront of both the COVID-19 pandemic and the cybersecurity threat-outbreak that is plaguing healthcare institutions across the country. 

 Kelly is not only a practicing emergency medicine physician in Boston, but also a member of the CHIME Opioid Task Force (a team of health IT leaders,) an assistant professor of Medicine at Harvard Medical School, a visiting professor at the University of Florence, a first aid physician at Fenway Park in Boston, and an adviser on the clinical practice of healthcare IT security.  

Kelly shares his insights into the growing cyberthreats that hospitals, doctors' offices and healthcare facilities across the country are facing. 

The Unique Nature of the Healthcare Industry 

Kelly said that because of the unique nature of the industry and its workers, keeping data and computer systems protected is a complex task.  

READ MORE: How Health Facilities Can Prevent, Mitigate Ransomware in 2021

Healthcare workers, such as doctors and nurses, are moving from workstation to workstation with a variety of system privileges.   

“It's not like it's a bank teller who is an employee of a bank who shows up and logs into one workstation, is there all day, doesn't really use mobile and all of the software and the hardware and all the apps are totally controlled by the organization that they work for and all the security posture and procedures all enforced and maintained by that same employer,” Kelly said in an interview with HealthITSecurity.  

In healthcare, there are shared workstations and different employees logging in from various areas accessing health information, he said.  

With shared workstations and the addition of remote access, which has increased since the pandemic, healthcare workers are logging into their systems from home or mobile devices, which makes security even more challenging, the professor and physician notes.  

In Healthcare, Cyberattacks Have a Higher Cost 

READ MORE: OSU Data Breach Impacts Veterans, More Ransomware Attacks

Kelly said that the impacts of a cyberattack are much greater than in other sectors because of what’s at risk—patients' health and in some cases, their lives. 

“The stakes are actually even higher in healthcare than in other industries,” he said. “If it's a worst-case scenario and there's a breach at a bank, the damage is usually financial, which you can make someone whole by paying the money back, but patients in healthcare, if their information gets out, that can do damage that's far beyond just financial.” 

Once a cybercriminal gets access to protected health information (PHI) of a patient, it’s much more difficult to reclaim the stolen data.  

“If someone has cancer or a private kind of medical condition that they don't want to get out there, it can really harm them reputationally and personally. And ethically and morally, it's just a higher-level problem.” 

Balancing the Ease of Access with Security 

READ MORE: NIST Defines “Critical Software” Per Cybersecurity Executive Order

With so many healthcare employees having various roles and privileges on a healthcare system’s computer network, there must be a balance between keeping access available and protecting data.  

In this setting, losing access to a patient’s EHR could very well be a dangerous situation. 

“Essentially you've got a high premium on usability and efficiency and productivity in the sense that you have to let doctors, nurses and other workers do their job because quite literally a patient's life might be at stake,” he said. “If I'm blocked out of accessing a chart or accessing my digital systems, like the electronic health record, or various other applications I need to get into” that could result in harm to a patient, Kelly noted.  

Keeping patients safe while at the same time, keeping critical data safe, is the ultimate goal, the physician stated.  

“If someone gets in that's actually not authorized to get in, the potential for a data breach and ransomware is enormous,” Kelly said. “We're seeing that across the industry now, unfortunately. Even through the COVID pandemic, we've seen the rate of attacks increasing rather than decreasing. I consider that behavior reprehensible, but it is what it is and we have to protect against it.” 

The need to protect data and ensure only authorized personnel are accessing PHI, but allow for medical staff to access that information quickly, when needed for patient care, is essential, he said.  

“Traditionally, it's been thought of that there's a battle between these two and you get one or the other, but I'm a firm believer that good technology can actually give you more of both,” Kelly said.  

Digital Identity Is Key to Protecting Health Data 

Dr. Kelly said that good technology really is a key factor in the war against cyberattacks on healthcare systems.  

Using digital identity of the users, and the roles they’re in, and the devices they’re on, and the locations they’re accessing the hospitals’ systems from are all key to keeping data safe, he said.  

Installing multi-factor authentication for access to critical systems is another huge protection to ward off cybercriminals and protecting health information, he noted.  

“Just the common practice of actually installing multifactor authentication for access to critical systems can really curtail a lot of ransomware and phishing attacks and cybersecurity breaches,” Kelly said.  

Making that multi-factor authentication (like pins, text messages, etc.) faster and easier for the doctors, nurses and staff that need instant access is another part of the puzzle, he said.  

Push notifications and Bluetooth technology could aid in the authentication process, he said.  

The idea of a firewall for a hospital, for example, is outdated. Moving the healthcare industry to a zero-trust security platform is needed, he said.  

Healthcare literally extends beyond the four walls of a hospital building, especially with remote work, telehealth, home visits and the use of mobile devices.  

“The continuum of care is now a borderless environment,” Kelly noted.  

The Ransomware Debate in Healthcare  

Kelly said as both a physician and an educator, there is no easy answer when it comes to the great ransomware debate: to pay or not to pay.  

Each solution is problematic.  

“On the one hand, the more hospitals pay the hackers, the more they're going to encourage more of this to happen,” Kelly said. “But at the same time, it's a real threat to patients to not pay for [ransom]...the systems are down and there's patient harm that happens and death that happens when the systems are down.” 

“There's a reason we use all these digital systems, and it can really cause serious interruptions in care and decreased quality of care and increase morbidity and mortality like injury and death,” he said. “So, it becomes an issue of it sounds fine in theory not to pay but preventing even one death and also preventing all of that information from being leaked out, it's probably worth the money to do that, especially if it's your information or you or your family member that's presenting to me in the ER that I can't care effectively for.” 

“I'm not in any position of authority to comment on that, but I am sympathetic to those that are affected with that situation,” Kelly said.  

A ransomware attack for a hospital can result in weeks and months of down time, he noted.  

“It's incredibly impactful and negative for those patients affected and then all the people working in the hospital,” he said. 

“Doing the right thing for the patients in front of you and your own hospital's information, I think makes it more inviting to pay for (ransom) than to not because there's a theoretical benefit of not encouraging,” the physician stated. “But there's actual, real danger that's occurring in the moment. And some of these are not insignificant.”