Where healthcare and security meet
By Matt Phillion
Cyberattacks target every industry all the time, and healthcare is no exception. According to a recent IBM study, the average cost per healthcare cyberattack is a hefty $7 million. Despite numbers like this, cybersecurity often isn’t the C-suite’s top priority. How can CISOs in hospitals and other healthcare organizations demonstrate the value of strong cybersecurity while a host of other issues vie for leadership’s attention?
“To me, cybersecurity actually is a patient safety issue,” says Wes Wright, chief technology officer with Imprivata. “The industry did both areas a disservice long ago when they separated them.”
Clinicians and other professionals who see patients on a daily basis aren’t necessarily thinking about cybersecurity from a patient safety standpoint. That makes password requirements, security education and training, and other requirements seem less directly connected to patient care and safety—even though they actually are integral to both.
The way to fix this, Wright says, is to ensure that cybersecurity compliance and clinical efficiency improve together. Without the latter, staff will balk at the former. “Healthcare IT professionals were guilty of trying to make folks jump through some pretty onerous hoops in the name of cybersecurity,” he says. “The key is to make doing the right thing—and the right thing here is ensuring things are cyber-protected—as easy, if not easier, than doing the wrong thing.”
Wright suggests health IT talk directly with clinicians about patient safety. Clinicians should know that the 16-character password they’re being compelled to use, for example, is part of how the organization is keeping patients safe.
This also helps keep staff from looking for workarounds, which they will do if they feel that cybersecurity makes their workflow less efficient. “Clinicians are smart, highly trained, and when they see something that makes them scratch their head and ask ‘why am I doing this?’ most of the time they’re going to stop doing it,” says Wright. “It’s not just clinicians—it’s human nature.”
Cybersecurity is part of the patient safety landscape
Improving cybersecurity in healthcare involves more education and training, of course, but it also comes down to putting the right weight on the topic, says Wright. Clinicians have to know that cybersecurity is “as much of a patient safety issue as wearing a mask or preventing needlesticks,” he says. “Until we get there, we’re going to have holes in the ship.”
The tools clinicians use need to be secure. “I hate to say it, but it has to be built into the software, into the process,” says Wright. “When it’s an add-on, people see it as [having] no intrinsic value.”
Again, it comes down to human nature. When cybersecurity requirements that impact both patient safety and efficiency have clear added value, “you’ve found a strong solution for not only your organization, but one that can likely show strong ROI to your C-suite,” Wright says.
“Making security convenient is not easy, especially if you’re unfamiliar with clinical workflow needs and compliance requirements. Healthcare organizations need a partner that understands the healthcare landscape,” he adds.
The ever-growing presence of the internet of things (IOT), web-enabled and web-connected devices across the hospital spectrum, may have added more security touchpoints, but they’ve also helped with education and awareness, Wright says. “The general user population for healthcare IT has become far more cognizant of how important security is. I think we’re right on the cusp of things coming together.”
Prior to COVID-19, Wright says he might have pointed to multifactor authentication (MFA) as a common trouble area, but with the increase in working from home there’s been a big uptick in MFA, which has improved the cybersecurity posture for many organizations. “It’s hard to phish someone who has MFA,” he says. “That was a big hole in health IT.”
The importance of digital identity has improved over the past year and a half, not just in healthcare but overall, Wright says. In its simplest form, digital identity is the user name and password.
“What we’re starting to realize is that the firewalls and VLANs and VPNs, all that hardware-based cybersecurity stuff out there to protect us, is still relevant but isn’t as pivotal as digital identity is,” explains Wright. “Zero-trust networks are all based on digital identity, knowing that the identity you’re seeing on your network is who you think it is, and verifying that through digital identity events. That monitoring capability is maturing, and I think it’s going to take us to the next level of cybersecurity in healthcare.”
Get out into the field
The first thing information security executives need to do, Wright says, is to go out where the work is being done.
“Stand back and watch how these clinicians are using IT,” he says. “It’s amazing when you have an IT person going to watch clinicians work and can then take these IT tools and tweak them to align better with the workflow the clinicians are trying to get to. That’s the very first step. It’s very actionable. Get out to where the work is being done and observe that work.”
The next step is more tactical. Wright recommends a system, like a single sign-on tool with an access management tool, that will essentially hide the long passwords users are required to have.
“We have to use technology in a way so that users don’t have to remember huge password requirements across a multitude of applications and system logins. The technology does this instead, ultimately decreasing time in administrative processes and [increasing] time spent with patients,” says Wright.
He doesn’t think the industry is lagging behind on single sign-on usage. Where the industry struggles is with legacy applications, which single sign-on systems still need to hook up to. “In healthcare, those legacy apps are going to be out there forever, so we have to keep those in mind when we’re designing software,” he says.
Many horizontal vendors leave healthcare behind because of this challenge. “Application rationalization in healthcare is kind of an oxymoron,” says Wright. “The number of apps a healthcare professional uses during a normal clinical day is astounding.”
Healthcare contains specialties within specialties, each with specialized software that works for those processes. If a pair of neurosurgeons bring in a large income every year and insist on using a particular software system, the organization is going to keep it up and running.
“That’s where we’re at, and why healthcare adopts at a historically slower pace,” says Wright. “Those surgeons don’t care about the software—it’s simply a tool to do the surgeries, and as long as it’s working, they don’t want something new.”
In healthcare, return on investment always comes into play. But proving that part can be easy: Studies have shown that a single sign-on process can save 25–45 minutes a day of clinician time.
“The real key, though, is ensuring everyone sees cybersecurity as part of patient safety,” says Wright. “Until we get solutions that help them see patients more efficiently, we’re going to have tension between the two.”
Wright relates a story of working as a CIO with a children’s hospital, where cyber risk was an especially concerning topic for him. “The patients we were caring for have a Social Security number, date of birth, and address, and the challenge of protecting that data is stressful,” he says. “These young patients have valuable data a cybercriminal wants, and they aren’t going to use it for another 15 years. Their data could end up being compromised for the rest of their lives. I’ve always had this heightened sense of what could go wrong if somebody’s data was breached, and preventing that is really what we’re trying to do.”
If someone breaks into an organization’s electronic medical records, what can they do with them? There are worst-case scenarios such as deleting allergy information or other grim possibilities, and financial subterfuge like selling demographic information on the black market. But incidents like ransomware attacks have become so common that the fear of the loss of prestige after an attack—once a strong motivator for healthcare cybersecurity—has lessened.
It’s less about whether your organization has experienced an attack, says Wright—everyone is at risk on that front. Rather, if you are cyberattacked, “it says a lot about your IT health in how you recover from it.”
In the end, it’s about getting everyone on the same page: Cybersecurity isn’t separate from patient safety, but actually intrinsic to it. “We’re not focusing on cybersecurity because we think it’s cool,” says Wright. “We’re doing it because it’s just as much a patient safety issue as anything else.”
Messaging is key, Wright says. “It’s a matter of sales; frame the ‘why’ of it. All the security tools you want to bring out of your quiver should have a patient safety story around it. They don’t need to know the technical reasons for it. Instead, take to heart the patient safety reasons and explain it in their language.”
Matt Phillion is a freelance writer covering healthcare, cybersecurity, and more. He can be reached at firstname.lastname@example.org.