WEDI pushes for a cultural change to fix healthcare industry's cybersecurity vulnerabilities

Citing the growing number of cybersecurity attacks directed toward the healthcare industry, a national health IT organization called for a culture change to cybersecurity defense and urged providers to look beyond basic standards.

Despite widespread adoption of health information technology among providers, many are still vulnerable to preventable attacks due to insufficient cybersecurity processes and poor encryption measures, according to a report released by the Workgroup for Electronic Data Interchange (WEDI). The report is based on a series of roundtable discussions with industry leaders who said attacks will intensify as “health data becomes more liquid” in the cloud and across a wide array of providers and business partners.

RELATED: FBI's James Comey—Cybersecurity too big to tackle alone

The healthcare industry experienced a record-setting year of cyberattacks in 2016, leading some to criticize the industry for its inability to appropriately assess risks. Last week, the Institute for Critical Infrastructure Technology (ICIT) called for the healthcare industry to utilize artificial intelligence to combat ransomware threats.

Although equally critical, WEDI offered a slightly different approach, calling on the industry to change its cultural approach to cybersecurity in healthcare, comparing the current shift to the Institute of Medicine’s call to action in 1999 to improve quality care.

“While culture change must begin from within each healthcare organization to be more aggressively defensive, it must also extend beyond to the greater landscape of health and life sciences at large to encourage a more collective mindset,” according to the white paper.

“Cybercrime is often a tragedy of the commons where fragmented self‐interests encourage organizations to circle their wagons, rather than transparently communicate and effectively coordinate a response to limit collateral damage to the broader healthcare community.”

As part of that effort, WEDI urged organizations to make cybersecurity an executive-level priority and draw from lessons learned within the financial sector. Surveys show an increasing number of hospitals are involving senior leadership in cybersecurity activities.

RELATED: Survey—Cybersecurity an executive-level priority for insurers

WEDI also advocated for healthcare providers to move beyond basic security requirements released by the National Institute of Standards and Technology (NIST) and the Health Information Trust Alliance (HITRUST), which provide the initial groundwork to address cybersecurity vulnerabilities, but don’t address more complex issues like “proactive patch management, legacy decommissioning and realignment of systems.”