Dr. Sean Kelly, MD, Chief Medical Officer and VP Customer Strategy, Healthcare at Imprivata and Attending physician, Beth Israel Lahey Health Assistant Professor of Emergency Medicine, part-time, Harvard Medical School
If you were struggling to swim in treacherous waters with a lifeguard standing nearby, you would expect them to dive in and save you…but what if they didn’t? The results could be disastrous or end up costing your life.
The healthcare industry’s threat landscape is as concerning for patients and providers as that ocean would be for the strongest of swimmers. Yet, we’ve witnessed the federal government behave like a negligent lifeguard when it comes to ensuring the continuity of our public health system, as healthcare organizations struggle to stay afloat and fend off these threats with little budget, lack of clear guidance, and minimal resources to do so.
Yet again, threat actors, practically unabated, have capitalized on the vulnerabilities of the healthcare industry in the recent Change Healthcare attack. As this attack remains in the headlines and under investigation, patients and providers are reeling from the implications – with no end or solution in sight.
As a doctor, patient, and above all a human, I’m concerned for the continuity of our public health system. If healthcare continues down this path without any firm requirements from governing entities, their defenses will continue to falter. However, while there is certainly more to be done, we cannot deny that the Change Healthcare attack is generating much needed conversation both in the media and in Congress. Legislative hearings led by the House Energy & Commerce Committee and the Senate Finance Committee are forcing lawmakers to look more closely at healthcare cybersecurity. Although the Change Healthcare attack sparked chaos, there is some good that could come out of this.
Does this attack have the potential to fundamentally change healthcare cybersecurity as we know it? I think yes – it’s about time.
Time for a Wake-Up Call
The last time we saw regulations provoke change in the healthcare sector was over a decade ago, when the HITECH Act led to the transition from paper to electronic health records (EHR). Sure, guidelines and best practices like those from NIST, CISA, and the HHS are helpful, but they do not have any teeth as they don’t make any firm requirements. Digitalization has evolved tremendously since the Meaningful Use initiative…so why haven’t healthcare organizations been able to keep up?
Well, healthcare has historically been slow to adapt to digital change, with lack of budget and IT resources being a challenge. Even the largest hospital systems with significant cyber budgets do not have enough resources to adequately bolster cybersecurity defenses. Cyber insurance plays a role here, as insurance premiums increase in parallel with cyber threats. Although healthcare organizations need to invest in cybersecurity solutions to achieve a lower premium, they’re often implementing solutions to ‘check a box’ - and they’re coming up short.
Most if not all healthcare organizations know how to improve cybersecurity, but the trouble is that investing in cybersecurity has no limit. This can influence the hospital’s ability to prioritize the most critical cyber investments. Many hospitals are struggling to determine where to start and how to keep up with threat actors, whose full-time job is to actively seek and exploit gaps.
Building a comprehensive cybersecurity strategy is almost like building a house, and most healthcare organizations have only laid the foundation. Small and rural hospitals may not even be there, though – as many are disproportionately under-resourced and under-funded. Clearly, there is still a lot of work to be done.
Most healthcare organizations have succumbed to the mindset that they will experience a breach or cyberattack, it’s a matter of when, not if. Understandably, the primary cyber focus is often on data recovery or business continuity plans. In other words, their approach is reactive: They focus on cleaning up the bad guy’s mess rather than keeping them out from the start. It’s critical that any new federal standards or incentives are developed with the goal of fundamentally changing this mindset. If we keep paying millions of dollars in ransom payments, we’re only incentivizing the bad guys to continue targeting healthcare.
The Change we Need
Beyond the financial and operational impacts, lives are at stake. More than 20% of healthcare organizations have experienced an increase in mortality rate following a cyberattack while 57% experienced poorer patient outcomes, according to the Ponemon Institute.
The vulnerabilities exposed by this attack highlight the urgent need for strengthened cyber defenses and secure access to healthcare information and systems, across all endpoints. It’s imperative that the government establishes minimum standards and provides incentives for healthcare organizations, specifically small and rural hospitals, to invest in robust authentication, access controls, and authorization standards to keep the bad guys out from the start. By doing so, we can effectively safeguard patient data, enhance clinician satisfaction, streamline workflows, and improve the quality of care. It’s a step in the right direction to see congressional leaders like Sen. Mark Warner (D-VA) pushing for minimum cybersecurity standards, but there is still a long road ahead before any legislation is passed that could make a real difference in the industry.
As a practicing doctor, I have a responsibility to advocate for my patients – as do all healthcare professionals. We cannot stand by while this situation worsens. As we watch this investigation unfold, we must urge the federal government to provide the necessary guidance, resources, incentives, and legislation to protect our healthcare system from the escalating threat of cyberattacks.