In today’s ever-evolving digital landscape, investing and implementing cybersecurity measures is more important than ever as COVID-19 continues to create new challenges for healthcare organizations of all sizes.
Health systems are responsible for striking the balance between empowering providers and patients to make informed decisions together while ensuring every piece of information is secure, private and never vulnerable to attack.
We have learned how good healthcare data can become very profitable for bad actors. A recent survey found 73% of IT security decision-makers need increased funding to continue to be secure, effective and compliant. Of those surveyed, 55% reported experiencing an increase in ransomware attacks, in large part due to COVID-19-related security lapses and more targeting of the healthcare industry.
Leading organizational cybersecurity
Many health IT solutions have been developed and quickly implemented since the COVID-19 pandemic was declared. Security leaders face the challenge of upholding regular protocols for new technology within environments that demand rapid change.
Among the various technologies used by their organizations, 84% of respondents in the recent survey said email—the most used technology solution during the pandemic—introduces security or cybersecurity risk. Similarly, 70% said telehealth—the second-most used technology solution during the pandemic—increases risk.
These regular security protocols can't be paused just because we're in the middle of a pandemic. Security leaders might work harder, move faster or prioritize certain types of technology, but an entire system can’t be risked to create an immediate response. Just because we need these tools to respond to the pandemic doesn’t mean security protocols can be parked on the side. We must always protect our organizations.
Investing in cybersecurity
A week doesn’t go by without a headline announcing an attempted or successful cyberattack on a health system. Boards, executives, CIOs and CSOs are paying close attention to how their cybersecurity measures pace against the drive of cybercriminals. No one wants to be featured in the next headline, so they’re calling for more investment.
The FBI has repeatedly identified healthcare as the sector most targeted by cyberattacks. While the finance industry is paying somewhere between 16% and 20% of its annual budgets for IT security, healthcare has historically spent between 4% and 8%. Those two points are incongruent. Higher risk should lead to higher expenditure.
Staying on top of available technologies on the security side should be as important to a team as innovations on the clinical side. Multifactor authentication and employee education are two simple and important investments for the security of an organization.
A knowledgeable team should be able to monitor an environment, follow protocols, perform regular reviews, watch for red flags, thwart and categorize phishing attempts and cyberattacks, and present that information to leadership to help justify necessary security funding.
Nearly every country talks about cybersecurity in healthcare as one of their top three primary concerns. The U.S. Congress has empowered the Department of Health and Human Services (HHS) to take the lead on information sharing. HHS can act as a go-between for healthcare and other sectors as well as for the healthcare sector and law enforcement or security community. HHS has embraced the opportunity. It is creating a structure that is supportive of all parts of the healthcare community, not just big healthcare systems.
Thankfully, legislation has created an environment where sharing can occur among larger organizations and smaller systems. The head of facilities for a rural clinic doesn’t have the resources or the bandwidth of the Mayo Clinic’s CIO, but they can each pick up the phone and have a two-way dialogue about a new problem. We need to work closely together and be open about what's happening so we can protect as many people as quickly as possible.
New legislation has recently passed to accompany changes to Physician Self-Referral and Anti-Kickback rules, allowing large systems to donate resources to smaller systems to make sure their security is strong and up to date. There is now a gateway for sharing knowledge and resources.
There are also nationally and internationally available resources, such as the Health Sector Coordinating Council’s Management Checklist for Teleworking Surge During COVID-19 Response, that are free and accessible but rely on relationship building, multi-organizational partnerships and learning from trusted entities.
Tom Leary is senior vice president of government relations at HIMSS.