Research shows us that security breaches can greatly impact a healthcare organization’s reputation. Unfortunately, healthcare leaders are stuck in the cross hairs of consumers and hackers. While consumers want transparency, access to information and assurance their personal information will remain safe, hackers are busy compromising patient information at a faster speed than ever before.
As healthcare IT organizations strive to become more accessible and “open” to support patient engagement initiatives, hackers continue to target and exploit healthcare organizations for monetary gain. The required investment in cybersecurity is often overlooked or under funded until an incident occurs. At that point, the damage to an organization’s reputation may have already occurred.
This situation is being exacerbated by the growth of IoT (Internet of Things) enabled medical devices. While revolutionizing the process and practice of patient care, these tools are making IT networks more complex and difficult to manage as devices dynamically enter and exit the environment. Each device brings with it unique vulnerability and risks that traditional homogenous network platform security protocols do not address.
Fortunately, there a number of things that healthcare organizations can do to protect their connected medical devices against cyber attack, including:
1. Conduct an inventory
Unfortunately, many healthcare leaders are not even aware of how many medical devices are connected to their networks so monitoring and managing risks associated with these devices is a major challenge. What makes this so hard is the dynamic nature in which devices are introduced and removed from the environment. It’s imperative that organizations develop a process to gain the required visibility in order to gather actionable intelligence based on the associated risk.
2. Increase your governance
Security can no longer be referred to an IT problem. The consequences of bad security now reach every aspect of business. Thus, security should be treated as a business issue and dealt with accordingly. Health systems must ensure that sound security decisions are being included at every level of the business. But, it’s equally important to clearly define “owns” and is accountable for the security of your connected medial devices. The dynamic between Clinical Engineering (CE), IT and security is different in every organization. Some organizations think that because clinical engineering owns the budget for connected medical devices that they should also be responsible for overseeing the security of these devices. Others think IT should be responsible. The key is deciding who owns this responsibility, establishing a process and holding them accountable.
3. Create a cybersecurity strategy
It is imperative health systems set a priority to get back to the fundamentals of risk management and good cybersecurity hygiene to improve their overall security posture. Healthcare organizations should review their current overall security strategy to understand how and where connected medical devices fit in. In the past, segmentation, or putting connected medical devices on a separate network, with firewalls around them was they typical protocol. Because of the increasing number of connected medical devices coming into health systems, that this is no longer an effective strategy. Healthcare organizations need to put a system in place that monitors the behaviors of these devices by listening passively to the network and identifying abnormalities in real time. While human interaction is a necessary part of a security strategy, machine learning and artificial intelligence (AI) are becoming very effective defense strategies that should be part of the plan.
4. Establish a workflow process
If a security issue arises related to your connected medical devices, do you know how you will address it? It’s critical to establish a workflow process for responding to an IoT device acting abnormal. This protocol should be integrated into your overall security plan. Unfortunately, many organizations still follow a fairly inefficient and time-consuming workflow process. There are a number of workflow approaches, including establishing an alert protocol to prioritize and address critical issues, that can be utilized. Whatever process your organization chooses, make sure everyone on the team clearly understand their role, what they are personally accountable for and how the process ties into your organization’s larger security process.
5. Allocate the right resources
Healthcare organizations need to determine if they have the right dollars allocated to support the operating costs to keep their connected medical devices secure. If a health system goes out and buys these technologies, puts a governance plan in place and hasn’t thought about the ongoing costs to run the program, they will be disappointed. It’s important to do this cost analysis upfront to determine if it’s more cost effective to handle components of your security program in house or to identify a trusted partner.
Healthcare organizations must strike a balance between enabling patient engagement initiatives, protecting their connected medical devices and ultimately securing patient data. While there is not simple fix to this complex challenge, healthcare organizations often focus on the wrong areas at the wrong time. Organizations must develop and execute the fundamentals of security first before exploring advanced solutions.
This requires a defensive, in-depth approach to cybersecurity that is grounded in a detailed HIPAA Security Risk Analysis and a companion corrective plan and then engaging the organization in the plan moving forward. It’s a hefty undertaking but a critical piece of the patient care puzzle.
Dan L. Dodson is President of Fortified Health Security where he helps healthcare organizations effectively develop the best path forward for their security program based on their unique needs and current situation. He currently serves on the Southern Methodist University Cyber Security Advisory Board. Dan holds an M.B.A. in Health Organization Management and a B.S. in Accounting and Finance from Texas Tech University.