Commentary: Why information security is a patient safety issue
Closeup shot of an IV drip with an unconscious patient in the background
It probably won't surprise you that privacy, security, quality and safety are some of the most relevant topics to hospital executives and health IT pros these days.
At first glance, they might seem to stand at nearly opposite ends of the continuum linking healthcare and technology. While privacy and security are focused largely on technical infrastructure, quality and safety are focused on best practices for clinical care delivery.
But they have more in common than would first appear – especially as security threats are becoming all-enveloping and insidious, and increasingly threatening todisable critical clinical systems, potentially for weeks (or more) at a time.[Join Your Peers at HIMSS’ Healthcare Security Forum! Register Today]
Sound security practices aren't just about maintaining HIPAA compliance or preventing embarrassing breaches from making headlines anymore. With ransomware running rampant and cyber criminals honing their craft in ever more creative ways, the protection of critical IT systems and connected medical devices goes to the heart of patient safety.
A pair of recent studies outline the severity of the threat, but also offer rays of hope that hospitals may finally be finding their way to getting a handle on security strategies.
The Report on Improving Cybersecurity in the Healthcare Industry, published in June by the Healthcare Industry Cybersecurity Task Force at the U.S. Department of Health and Human Services highlights the distinction between technology and quality/safety that's fast becoming obsolete.
"Within the healthcare industry, cybersecurity has historically been viewed as an IT challenge, is approached reactively, and is often not seen as a solution that can help protect the patient," HHS officials wrote.
Without having experienced a costly breach, HHS added, the value of robust security practices was often hard to even articulate: "Many security professionals and organizations have difficulty demonstrating the importance of cyber protections and how proactive risk mitigation can save money and protect against reputational damage in the long-term."
Increasingly, of course, it's becoming harder and harder to ignore the imperative of good security. And it's certainly harder to pretend that protecting a hospital from OCR fines or negative PR is the primary goal for keeping patient data on lock.
HHS sees positive signs – "organizational culture shifts and increased support and direction from leadership" – that are leading to "changes to the way providers perform their duties in clinical environments."
But there's hard work to do. One of the must-dos listed in the department's report is for hospitals to bolster security and resiliency of medical devices for the clinical systems to which they connect.
"The healthcare and public health sector is charged with keeping patients safe," officials wrote. "This includes physical and privacy related harms that may stem from a cybersecurity vulnerability or exploit. If exploited, a vulnerability may result in medical device malfunction, disruption of health care services (including treatment interventions), and inappropriate access to patient information, or compromised EHR data integrity. Such outcomes could have a profound impact on patient care and safety."
HHS sees some foundational challenges that need fixing in order to shore up the security of devices, EHRs and legacy operating systems, such as secure development lifecycle, authentication and strategic approaches to product management and maintenance.
One critical challenge is that the "relatively short lifespan for operating systems and other relevant platforms such as commercial off the shelf software is inherently misaligned in health care as medical devices and EHRs may be utilized for 10, 15, 20 or more years," according to the report. "Hospitals operate on thin budgets and cannot replace capital equipment like MRIs as quickly as new operating systems are released."</p >
With little to be done about those lengthy product development lifecycles, HHS suggests that providers explore "creative ways" of keeping key systems safe by "engaging key clinical and cybersecurity stakeholders, including software vendors."
Indeed, the companies that make those legacy systems – devices and EHR applications alike – have responsibilities too. "Every vendor and healthcare organization should be able to identify and classify legacy systems and develop an approach (e.g., compensating controls, device update, device retirement, network segmentation, or innovative architectures) to mitigate the associated risks."
Gratifyingly, the healthcare industry is making progress on protecting patients by protecting its clinical systems, as evidenced by the newest HIMSS Cybersecurity Survey, released this past week. A commanding majority of respondents to the poll (85 percent) said their organizations conduct an annual risk assessment – a minimal must-do, to be sure – and the findings suggest that hospitals' priorities are in the right place, with device security a top priority and patient safety the biggest driver for improvement efforts.
"Senior information security leaders know that cyber-attacks on medical devices may lead to serious consequences, especially if the medical device is life-sustaining or life-saving," according to HIMSS. "A hacked insulin pump may deliver a fatal bolus of insulin to a patient. A 'connected' pacemaker may deliver a fatal shock to a patient. The technical know-how and skill set exists among cyber adversaries to compromise these devices. Unfortunately, it is a matter of 'when' and not 'if.' This is not a theoretical problem."
Given the lack of awareness, let alone readiness, around clinical IT security just a few years ago, it's encouraging that in the face of such a stark set of facts, hospitals are upping their game, empowering their CISOs to embrace holistic cybersecurity practices to steady the footing of ever-vulnerable hospitals.
While other industries have had decades to establish security best practices, healthcare is admittedly late to the game. But the myriad security incidents that have buffeted providers these past few years have been a resoundingly loud wake-up call. Thankfully, hospitals are finally benefiting from "heightened situational awareness, know-how, and acumen" and making "significant strides" in protecting their mission-critical technology.