Improving Cybersecurity in Healthcare Through Partnerships
By Matt Phillion
The more healthcare relies on technology, the more cybersecurity becomes not just a data concern, but a patient safety concern as well. We’ve seen time and time again what can happen when bad actors get through healthcare defenses and know that the industry needs to strengthen security around IT systems and data in the same way it treats other patient-safety focused measures.
Take, for example, the recent cyberattack impacting Change Healthcare: a ransomware attack that crippled revenue flow, pushed some providers into danger of closure, and led to UnitedHealth Group to be investigated by the Department of Health and Human Services into how it handled patient data during the attack.
While larger systems are usually the focus of headlines when attacks happen, Frank Forte, CEO of Anatomy IT, points out that the same problems faced by larger healthcare systems are exacerbated in the mid-market or smaller organizations, those with under a thousand full-time staff.
“There’s a resource challenge there,” says Forte. “The availability of talent, the ability to attract and sustain and retain talent is more difficult because of financial restrictions. The mid-market tends to be more sensitive to that.”
Protecting data at this level includes unique barriers to success: these organizations can often be fragmented, with a lot of consolidations, mergers, new partnerships, which led to different systems, infrastructures, security processes, and more colliding together in different and difficult ways.
“When you’re dealing with a larger, more established healthcare system, you have a more linear roadmap, but with smaller organizations there’s so much movement,” says Forte. From pre-acute physician practices, ambulatory care, all the way to acute care or post-acute or senior/assisted living, organizations are being consolidated, and their cyber readiness and IT infrastructure are more fragmented.”
There are also fewer resources and vendors who can provide the type of data protection and IT services larger organizations can afford to work with, Forte says.
“There’s a surge in demand,” he explains. “And a shortage of what I call operational talent, people who can work with budget and resource constraints. You can’t just hand a mid-market organization the NIST framework or punch list. You need to do what’s right for you, in your budget, and that takes a lot of operational skill.”
How to work within your resources
The place to start, Forte says, is to understand what an organization can realistically expect to do and follow recommendations from experts about how to maximize the impact of those decisions.
“The first thing to understand is that this is both an industry and a community problem, not just for providers but also for their partners. It’s our problem, too!” says Forte. “Providers need to lean more on their IT and cybersecurity partners to support them. Go to your partners and ask: ‘What can you do for me right now?’ There are things vendors can do for free or at a minimal cost, and others you can ask if there’s a way to help fund the work, either through value-based care programs or other methods of reimbursement that can help make it more affordable. Being more creative in how you leverage your partnerships isn’t always the first thing you think of.”
There’s a minimal viable product level of protection all healthcare organizations should have, Forte notes, starting with endpoint detection and response (EDR) and multifactor authentication (MFA).
“These two are a must have—we’re almost mandating our clients have it and help them with creative ways to fund it. If they’re not willing to take these steps, it actually puts their security partners at risk,” says Forte.
Fortunately, EDR and MFA can be done at minimal cost for mid-sized organizations, he notes.
The next step is getting a better understanding of your organization’s level of risk.
“Find out how you rate versus your peers,” he says. “This can be done by going through your cybersecurity insurance company or vendor partner. Ask: where are we compared to other, similar organizations?” Forte says.
Once you know where you stand, you’ll want to start adding basic tools that fit within your organization’s budget.
“Most mid-market organizations are not going to be able to appoint or afford a chief security officer full time,” says Forte. One could be added on a consultative or contract basis with a primary point of contact like the practice manager or CFO, but that contact needs to have the right knowledge base, such as HIPAA requirements and information services.
Knowing what you don’t know
Cybersecurity is a necessity in healthcare, but it is not necessarily something healthcare leaders are familiar enough with to make the right calls on their own—which is why Forte recommends knowing who your trusted network is to turn to. This might include advisors to your board, within your peer group, your insurance company, resources who know how to find the right other resources to keep your data safe.
“Ask: whom do you recommend? And there’s a close relationship between IT and cybersecurity, so talk with your IT person or department. Ask your provider, who are you using for cyber?” Forte says. “Or look for a company that specializes in partial to full outsourcing of all services. Any company in this space, going back to how this is a community problem, is more than willing to offer pro bono security assessments. Do an assessment and find out where you should start compared to their other clients.”
These resources will help you better understand where the threats are coming from—and we know that the threat landscape changes all the time, so getting expert help to keep up with that evolution is key.
“A lot of cyberattacks right now are coming through email phishing campaigns, social engineering, or through devices or applications,” says Forte. “When you think of how you have thousands of devices across multiple locations, IT is the force field or moat around the providers.”
The type of infrastructure and tools you use should be based on the type and size of your business as well. Not every security tool is built for a small to mid-sized business in mind.
“Are your tools auto-patching? Are applications preapproved and do they interface with each other without creating an opportunity for breaches?” says Forte.
Healthcare is awash in technology enabling for the care of patients, but that also opens up a lot of potential gaps for threats to get through.
“Organizations have assets all over the place, multiple facilities, multiple sources of reimbursement. It’s hard to know what your true IT or cyber spend is when you’re engaging with multiple financial systems. Many don’t know the amount of leakage taking place or the number of assets they have,” says Forte.
Something to consider, given the recent breach and its impact on the affected organizations: can your organization go dark? Sometimes called a fire drill or code dark, organizations can essentially test what happens if they can’t get on the network for a period of time: can they chart patients, prescribe medications, get into storage areas, even reach their claims processing organization?
“Ask yourself: ‘Do we function if we’re down?’” says Forte. “Get them comfortable in that environment and assess: how long can we be down? What happens if we’re down a day, a week, a month, six months? And really think that through.”
How can the industry make that next leap forward to keep itself secure—and thereby keep patients safer?
“There are two things I think about: the first is the healthcare industry is under a lot of pressure to meet a lot of standards, and it’s the right thing to do but it’s disjointed. We should establish cyber standards just like we have communication standards and have them be standard for all of healthcare. Make it more prescriptive for all to follow,” says Forte. “And then secondly, make it possible for the government to help fund that. The government needs to be involved to create relief for providers in a meaningful way.”
Forte sees the industry heading in the right direction, however, with more awareness that something must be done to stay secure against cyber threats.
“I really believe that all providers need to work with good partners in this space they can lean on and from whom they can get the right advice,” he says. “There’s always opportunities when challenges arise.”
Matt Phillion is a freelance writer covering healthcare, cybersecurity, and more. He can be reached at matthew.phillion@gmail.com.