Today, the way health care organisations manage and use information underpins their ability to function and grow. However, fully protecting information assets and intellectual property is proving increasingly challenging.
According to recent surveys, executives rank improvement of cybersecurity as their top priority in 2017. This ranking is a recognition of the widening gap between the growing security threat to organisations and their ability to protect corporate information assets.
Crucially, health care organisations must contend with an ever-changing security landscape, which brings a range of strategic and operational demands including:
- Increasing compliance and regulatory requirements.
- Ever evolving external and internal threats.
- The risk of data leaks and loss of intellectual property.
- Enabling greater mobile working and personal device usage by employees.
- Interoperability with other healthcare systems
- Leveraging cloud services to boost productivity.
- Ensuring business and service continuity plans are implemented.
Managing and mitigating these risks is proving increasingly costly and complex for health care organisations, at a time when security budgets are coming under greater scrutiny. What’s more, the stakes are higher than ever striving to do more than simply protect their critical information and look to safeguard their reputation and revenues.
I differentiate between “health” and “care” here, and try not to use the term healthcare as if it is one, as they see different threat vectors. Health is about preventing disease, and more and more people are using connected devices, from scales, glucometers, thermometers and mobile phones to monitor themselves and connect to their health records through apps and portals. Care is about what happens when you interact with private and public health services and share personal and private health and financial information across the continuum of care.
As with paper records the most common cause of vulnerability is still human, health care is moving from islands of computing to highly interconnected environments which have many potential internal and external ingress points for people, from the bad to the mad, to access the data.
The data stored within care systems was predominantly paper based with very few controls on access, it contained medical and demographic information and tended to remain very close to the point of creation. As we have moved from paper to electronic storage, and from interface to cloud, this data has become more auditable and more available. At the same time the value of the data has increased immeasurably as we keep more demographic and financial data about the people we treat. These rapid changes have not always been accompanied by changes in the information governance.
At the same time in health and care system there are more connected devices, including laboratory equipment, diagnostic equipment, infusion pumps etc. This broader connectivity means that health care organisations must have the appropriate governance, education and cyber defences in place.
We have seen a number of attacks on care systems around the world, the analysis of which has shown there were many different points of ingress. Some were failure of process, another was poorly configured routers, another the continued use of old hardware and software that is not as resilient to attack as current platforms.
In these challenging times, health care organisations need to be able to work with a trusted partner who can bring a range of specialist experience and expertise to bear on security and continuity challenges. While the bad and the mad only have to be successful once to compromise a system, we have to be proactive against threats rather than reactively defending against yesterday’s attack.
Given that the only really secure system is one that is never used, vendors, integrators and clients have an obligation to ensure that their systems conform to the latest security and governance standards and best practices, their workforce is aware and educated on the need and implications of cybersecurity, and their systems are up to date.
In addition, all of the links in the chain must be prepared for an adverse event and have plans in place to protect their patients and clients. They must also ensure to maintain continuity of business and to communicate the event, and its implication in a way that preserves brand value, allows people who are affected to take additional precautions, and allows security professionals to deal with the threat going forward.