Why information security is a patient safety issue

Commentary: Why information security is a patient safety issue

Cybersecurity requires strategy to succeed and that means putting your priorities in the right place. CISOs and other infosec pros must up their game to make protecting patients the top concern.

Closeup shot of an IV drip with an unconscious patient in the background

It probably won't surprise you that privacy, security, quality and safety are some of the most relevant topics to hospital executives and health IT pros these days.

At first glance, they might seem to stand at nearly opposite ends of the continuum linking healthcare and technology. While privacy and security are focused largely on technical infrastructure, quality and safety are focused on best practices for clinical care delivery.

But they have more in common than would first appear – especially as security threats are becoming all-enveloping and insidious, and increasingly threatening todisable critical clinical systems, potentially for weeks (or more) at a time.

[Join Your Peers at HIMSS’ Healthcare Security Forum! Register Today]

Sound security practices aren't just about maintaining HIPAA compliance or preventing embarrassing breaches from making headlines anymore. With ransomware running rampant and cyber criminals honing their craft in ever more creative ways, the protection of critical IT systems and connected medical devices goes to the heart of patient safety.

A pair of recent studies outline the severity of the threat, but also offer rays of hope that hospitals may finally be finding their way to getting a handle on security strategies.

The Report on Improving Cybersecurity in the Healthcare Industry, published in June by the Healthcare Industry Cybersecurity Task Force at the U.S. Department of Health and Human Services highlights the distinction between technology and quality/safety that's fast becoming obsolete.

"Within the healthcare industry, cybersecurity has historically been viewed as an IT challenge, is  approached reactively, and is often not seen as a solution that can help protect the patient," HHS officials wrote.

Without having experienced a costly breach, HHS added, the value of robust security practices was often hard to even articulate: "Many security professionals and organizations have difficulty demonstrating the importance of cyber protections and how proactive risk mitigation can save money and protect against reputational damage in the long-term."

Increasingly, of course, it's becoming harder and harder to ignore the imperative of good security. And it's certainly harder to pretend that protecting a hospital from OCR fines or negative PR is the primary goal for keeping patient data on lock.

HHS sees positive signs – "organizational culture shifts and increased support and direction from leadership" – that are leading to "changes to the way providers perform their duties in clinical environments."

But there's hard work to do. One of the must-dos listed in the department's report is for hospitals to bolster security and resiliency of medical devices for the clinical systems to which they connect.

"The healthcare and public health sector is charged with keeping patients safe," officials wrote. "This includes physical and privacy related harms that may stem from a cybersecurity vulnerability or exploit. If exploited, a vulnerability may result in medical device malfunction, disruption of health care services (including treatment  interventions), and inappropriate access to patient information, or compromised EHR data integrity. Such outcomes could have a profound impact on patient care and safety."

HHS sees some foundational challenges that need fixing in order to shore up the security of devices, EHRs and legacy operating systems, such as secure development lifecycle, authentication and strategic approaches to product management and maintenance.

One critical challenge is that the "relatively short lifespan for operating systems and other relevant platforms such as commercial off the shelf  software is inherently misaligned in health care as medical devices and EHRs may be utilized for 10, 15, 20 or more years," according to the report. "Hospitals operate on thin budgets and cannot replace capital equipment like MRIs as quickly as new operating systems are released."</p >

With little to be done about those lengthy product development lifecycles, HHS suggests that providers explore "creative ways" of keeping key systems safe by "engaging key clinical and cybersecurity stakeholders, including software vendors."

Indeed, the companies that make those legacy systems – devices and EHR applications alike – have responsibilities too. "Every vendor and healthcare organization should be able to identify and classify legacy systems and develop an approach (e.g., compensating controls, device update, device retirement, network  segmentation, or innovative architectures) to mitigate the associated risks."

Gratifyingly, the healthcare industry is making progress on protecting patients by protecting its clinical systems, as evidenced by the newest HIMSS Cybersecurity Survey, released this past week. A commanding majority of respondents to the poll (85 percent) said their organizations conduct an annual risk assessment – a minimal must-do, to be sure – and the findings suggest that hospitals' priorities are in the right place, with device security a top priority and patient safety the biggest driver for improvement efforts.

"Senior information security leaders know that cyber-attacks on medical devices may lead to serious consequences, especially if the medical device is life-sustaining or life-saving," according to HIMSS. "A hacked insulin pump may deliver a fatal bolus of insulin to a patient. A 'connected' pacemaker may deliver a fatal shock to a patient. The technical know-how and skill set exists among cyber adversaries to compromise these devices. Unfortunately, it is a matter of 'when' and not 'if.' This is not a theoretical problem."

Given the lack of awareness, let alone readiness, around clinical IT security just a few years ago, it's encouraging that in the face of such a stark set of facts, hospitals are upping their game, empowering their CISOs to embrace holistic cybersecurity practices to steady the footing of ever-vulnerable hospitals.

While other industries have had decades to establish security best practices, healthcare is admittedly late to the game. But the myriad security incidents that have buffeted providers these past few years have been a resoundingly loud wake-up call. Thankfully, hospitals are finally benefiting from "heightened situational awareness, know-how, and acumen" and making "significant strides" in protecting their mission-critical technology.

9 thoughts on “Why information security is a patient safety issue”

  • 188bet

    Hi there, I enjoy reading all of your post.
    I like to write a little comment to support you. https://www.fcviktoria.cz/media_show.asp?id=2924&id_clanek=2467&media=0&type=1&url=http://keo365.com/the-thao

  • Like

    Like!! I blog frequently and I really thank you for your content. The article has truly peaked my interest.

  • เพิ่มไลค์เพจ

    It is in reality a great and useful piece of info. Thanks for sharing. :)

  • nike huarache

    I wish to express my appreciation to the writer just for rescuing me from this particular predicament. As a result of looking throughout the search engines and finding views which are not productive, I thought my entire life was well over. Being alive devoid of the solutions to the issues you have resolved all through your main report is a critical case, as well as those which may have negatively affected my career if I had not discovered your blog. Your own ability and kindness in maneuvering every aspect was important. I'm not sure what I would've done if I hadn't discovered such a stuff like this. It's possible to at this point look forward to my future. Thank you very much for the expert and amazing help. I won't hesitate to suggest your site to any individual who desires tips on this problem.

  • moz

    Highly energetic article, I liked that bit.
    Will there be a part 2?

  • Goograndpa.com

    I am regular reader, how are you everybody? This post posted at this web site is in fact nice.

  • Marjorie

    I was suggested this web site by my cousin. I'm not sure whether this post is written by him as nobody else know such detailed about my trouble.
    You're amazing! Thanks!

  • Young

    I seriously love your website.. Excellent colors & theme.
    Did you develop this web site yourself? Please reply back as I'm wanting to
    create my own personal blog and want to learn where
    you got this from or just what the theme is called. Many thanks!

  • ปั้มไลค์

    Perfectly composed articles , thankyou for information. :)

Leave a Reply