James Thompson, Regional Director for EMEA at SecureAuth looks at the IT security challenges unique to healthcare
Ask someone to name the top priority of a healthcare organisation and they’ll probably say “providing excellent patient care.” But if you ask someone to name a second top priority, they might add, “IT security.” Recent breaches like WannaCry ransomware and past examples such as Anthem have turned cyber security into an urgent concern for every healthcare organisation.
The repercussions of a breach can be on a catastrophic scale, including damaged reputation, widespread loss of patient faith, leaked patient and organisation information, not to mention the detrimental drains on funds, just to name a few. Concerns aren’t restricted to boards of directors and IT teams, many healthcare consumers are well aware of breaches and rightfully anxious about their names, national insurance numbers, birthdates and other personal data falling into criminal hands.
The WannaCry cyberattack is considered to be one of the most prolific attacks ever around the globe, people were locked out of their data with the attackers demanding a ransom, bringing computer systems to their knees. Security is a real concern and something that can’t be overlooked. Keeping data available, confidential and safe isn’t just a business issue – it allows healthcare personnel to provide the best patient care possible. Strong access control is essential for informed treatment and optimal patient outcomes.
In a world where healthcare is increasingly mobile, doctors often require medical data on the spot. Physicians and care providers float between hospitals, clinics, home visits, and private practice offices, checking patient information from a variety of locations and devices. Staff may need to share test results with other facilities, or check an emergency patient’s medical history. While a host of new telemedicine apps and tools allow patients to be treated by their providers regardless of if they travel.
IT teams are left with a dual task, implementing security solutions that safeguard both electronic protected healthcare information (ePHI) and empower doctors to save lives.
The challenges of keeping patients safe
Doctor opinions are weighted heavily when it comes to technology adoption and tends to be chosen by business leaders. But then often the new solution is left with IT departments to manage the new technology stack in a way that satisfies compliance regulations and protects patient data.
Added to this, there are more and more vulnerabilities that healthcare IT professionals must manage, such as the influx of the IoT. Developments include “smart” medical devices, some of which can act as a conduit into an organisation’s network. In cybercrime terms, malicious actors could change a temperature setting on a refrigerator holding biopsy samples, or alter the dosages on a patient morphine drip. One real-world example was when former US Vice President Dick Cheney had a computerised defibrillator implanted to regulate his heart rate, which was designed to shock him back to life if necessary. Unfortunately, the tool could be remotely reprogrammed, making it a potential target for terrorists – and so the remote feature was disabled.
An additional challenge is keeping login credentials out of criminal hands. Attackers are well aware of all of the above and that valuable data is being accessed and shared across a variety of devices, facilities, and departments. Safe remote access to EHR/EMR applications and ePHI has to both meet security requirements and a physician’s necessity for speed and flexible access.
As a result, security and authentication measures must be convenient, otherwise healthcare workers will find a work-around that goes against organisational policies, which could put data at risk.
So how can healthcare IT teams keep their data and their patients protected? The following are guidelines on proactively minimising risk before an attack:
- Look at where ePHI is stored in your organisation and how it’s transmitted and accessed. Remember to examine not just technology, but people and processes too, which includes remote access procedures.
- Make an inventory of all medical equipment and devices that connect to networks and data. Take into account any BYOD practices as well that could interact with your organisation’s systems.
- Identify possible vulnerabilities and security gaps. These could be weak authentication policies, hacker-friendly interfaces, or inconvenient authentication processes.
- Revisit perimeter protections, particularly in terms of offering a frictionless user experience for physicians and administrators. The smoother and simpler a process is, the more likely staff are to follow security and compliance procedures.
In the world of healthcare technology, making intelligent treatment decisions no longer relies only on medical expertise. IT expertise is also critical in keeping login credentials, ePHI and medical data safe and accessible. Stronger security solutions are a vital aspect of not only healthcare IT teams, but the reputation of the industry too.