All eyes are on healthcare organizations. How will they adjust their approach to cybersecurity in the wake of the recent attack on Change Healthcare? Data, used effectively, is an invaluable tool for improving healthcare. But data’s immense value attracts the attention of hackers. There are vulnerabilities in this increasingly interconnected industry, where outside vendors are relied on heavily to assist with the goals of both payer and provider organizations. Healthcare organizations must devote significant resources to assessing their current security efforts.
For healthcare organizations to avoid being victims of the next attack, their executives will need to consider the organization’s positions and preparedness. Healthcare organizations rely heavily on both legacy and modern systems. These systems have been put together piece by piece to address the comprehensive workflows of the organization and the connections between them. Truly strengthening cybersecurity requires an exhaustive look at the exposure of each system and the vulnerable connections between them.
So, how does a company make sure it’s not next? It’s an impossible question to answer. Every organization is different. There is no one anti-hacking service that guarantees complete protection from every potential cyber security threat. However, there are four areas where organizations can implement meaningful changes to strengthen their cybersecurity.
Considerations in assessing current cybersecurity risks
- Single point vs. platform solutions: Many organizations will begin to address risk by moving away from single-point solutions and adopting more platform-based solutions. For example, payer organizations can have hundreds, if not thousands, of systems across their enterprise. If an updated solution can consolidate 40 independent products into a single platform, it will strengthen security and streamline monitoring of that one platform, reducing the number of vulnerabilities.
- Interoperability: Healthcare organizations adopting industry-accepted interoperability standards reduce risk. The industry moves toward compliance with shared interoperability standards and encryption mechanisms. These standards also allow vendors who sell security software to invest in protecting endpoints and access points, strengthening an organization’s potential vulnerabilities.
- Dreaded silos: Without a holistic approach or shared enterprise strategy, different departments tend to come up with their own siloed solutions. Anytime two parts use different processes, there’s a lack of coordination, leading to additional risks. When organizations take a holistic approach and develop an enterprise-wide strategy, understanding how each part fits together, they’ll find more success in minimizing their risk.
- Don’t expect a regulatory solution anytime soon: The industry should not wait for government intervention or market trends to respond to recent events. Instead, an immediate focus should be reviewing current practices and evaluating an organization’s risks. Following industry standards and best practices for cybersecurity is essential, but there is no “perfect” approach or “ideal” technical infrastructure. Every organization has unique needs, so there is no one-size-fits-all solution.
Tactical steps to strengthen an organization’s cybersecurity approach
How can an organization translate these elements into its own approach? Use a strong set of principles to design around its unique needs—this will help identify the appropriate characteristics a company needs in its infrastructure—its systems, its people, and the process pieces that are unique to it. Strengthening cybersecurity is a journey, not a destination. Expand current focuses, assess strengths and risks, and consider adopting key tactical approaches in an organization’s unique approach.
- Expand cybersecurity prevention efforts to include strategies to identify, detect, and mitigate threats. While many organizations prefer to approach cybersecurity from a prevention perspective, it can lead to blind spots that create vulnerability. Don’t just look for strategies that keep attackers out—threats will only become more sophisticated, and organizations must be prepared to respond. Model scenarios to fully understand the implications and potential responses to attacks, such as ransomware. Cybersecurity strategies must focus on the ability to identify, respond, and mitigate threats. With that framework in place, organizations will be better positioned to minimize the velocity and disruption of a potential attack.
- Look to industry standards to strengthen a cybersecurity approach. Undertake a full assessment of the organization’s current security – look at the security status of its systems, networks, software, services, and information, and assess its capacity to detect, mitigate, and respond to cyberattacks. Many organizations will look to HITRUST assessment and certification, and companies just beginning to think about security would be wise to become familiar with the approach. HITRUST is a comprehensive security and risk management framework that provides a roadmap for organizations to achieve compliance with security requirements and manage risk. The assessment is resource-intensive because it’s specifically tailored to a healthcare organization’s unique systems, processes, policies, and people.
- Recognize and address threats inside an organization. Healthcare organizations must prioritize people, processes, and tools to improve their security position, as internal actors are more likely to cause data loss than external ones. According to a Stanford University study, most data loss in cyberattacks is due to internal employees – whether individuals fall victim to phishing attempts or make intentional or willful data breaches. It is vital to ensure an organization has training, policies, and monitoring in place to address internal threats.
- Limit access to sensitive information. Common strategies include adopting new policies and procedures to limit risk exposure by minimizing access to protected information. Consider using ‘least privilege’ access as a default—only give system users the least amount of access needed— making anonymized or de-identified systems the standard and minimizing the number of users with access to sensitive information. Also, consider an anonymized-data-first strategy. Many companies can conduct performance and operational reporting and other workflows with anonymized or de-identified data sets.
The healthcare industry will continue to be the victim of cyberattacks. The organizations that make up this industry would be wise to focus on a comprehensive set of assessments and attributes for improving cybersecurity—not a specific map or a specific combination of tools. Create an enterprise-wide strategy for achieving security and minimizing risk. Keep in mind that it’s not just an infrastructure problem to solve. Achieving strong cybersecurity is a vast, interconnected web that must incorporate the correct software, procedures, and workflows and take into account the human element across an entire organization. Cybersecurity perfection does not exist, but a strong defense does.
Photo: JuSun, Getty Images
Ryan Hamilton, the CTO of MacroHealth, is a recognized healthcare IT leader, with a clear vision of the future of digital healthcare and a unique understanding of the challenges associated with the current and emerging delivery models of healthcare in both the U.S. and international markets. He has extensive experience guiding healthcare technology enterprises with innovative and disruptive business models to allow organizations to lead the transformation within their MSAs. Most recently, Ryan served as the Chief Architect for Cerner’s commercial product offerings and platforms covering the full healthcare continuum, including core electronic medical record management, revenue cycle, device integration, population health management, and consumer solutions. Prior to that, he served as the SVP of Strategic Growth and SVP of Population Health during a period of massive growth at Cerner.