The agenda for the annual Healthcare Information and Management Systems Society (HIMSS) conference, held last week, included a good mix of session topics covering electronic health records (EHRs), advancement of medical devices and health IT, and interoperability of systems and applications to exchange patient data. There also were sessions devoted to the important issues of protecting patient data and enhancing cybersecurity.
For some health systems and physicians, the quality of patient care is the top priority, while cybersecurity is near the bottom of that list. However, the cybersecurity of devices and systems that support health care delivery is closely tied to patient safety. For example, cardiac rhythmic devices might transfer protected health information (PHI) through a smartphone, or a physician might transmit potentially lifesaving prescriptions to a pharmacy via the internet. If devices do not have protections in place to prevent cyberthreats, the health and safety of the patient could be at risk. Recall August 2017, when the U.S. Food and Drug Administration issued a voluntary recall of 465,000 pacemakers after cyber vulnerabilities were identified.*
Large hospital systems and health plans typically have more sophisticated tools, vendor relationships and dedicated staff to ensure that patient data, PHI and the systems and devices that support care delivery are as secure as possible. However, that same type of information also resides in the EHRs of a small physician practice, the computer system used by a mom-and-pop drug store, or the records of a rural dentist office.
Smaller entities typically do not have the personnel, money or resources needed to safeguard patient data, or to patch their systems enough to protect them from threats. Without targeted communications and education related to cybersecurity, these resource-constrained stakeholders might never see cyberthreats emerge. This can make some smaller health care groups the weak links in defending the sector.
Creating a Culture of Change and Collaboration
The healthcare industry has a significant opportunity to advance its cybersecurity practices and increase communications, even as technological capabilities grow. The Office of the Assistant Secretary for Preparedness and Response (ASPR)—which coordinates communications with states and healthcare stakeholders during natural disasters—has already established lines of communication with the healthcare sector, and could rapidly disseminate and gather information about cybersecurity threats. Closely partnering with ASPR, as well as other well-established groups—such as the HITRUST Alliance, the National Health Information Sharing and Analysis Center, and HIMSS—could extend the reach of stakeholders and reinforce their communication efforts.
When building a communications strategy for cyberthreats, healthcare stakeholders should consider:
—Which providers they are trying to reach?
—When do they need to reach them?
—How often do they need to reach them?
—What services should they provide to them?
—What form should communications take?
The healthcare stakeholders also should determine if they need more than just information about potential threats. Do stakeholders also need education, information about leading practices or guidelines to protect themselves? A web portal or toolkit, for example, could offer basic information about cyberthreats in a one-stop shopping environment.
Collaborative Cybersecurity from a Federal Perspective
The 2015 Cybersecurity Information Sharing Act encourages businesses and the federal government to share cyberthreat information in the interest of national security. A provision of that law calls on the U.S. Department of Health and Human Services (HHS) to assemble a panel of industry and government experts to answer questions related to cybersecurity in health care. This initiative led to the June 2017 Report on Improving Cybersecurity in the Health Care Industry. Some notable recommendations from the report include the creation of a “cyber czar” within HHS to coordinate all cybersecurity efforts and push out information and best practices to the healthcare sector. The cyber czar also would work to increase outreach and education across the sector, secure legacy devices and systems, and create models to support small, medium and rural organizations that do not have in-house cybersecurity resources.
Several of the report’s recommendations—such as the development of a software bill of materials—have gained traction. This bill of materials could inform patients and providers about the software installed on each medical device. It also could provide stakeholders with a way to reach out to manufacturers to patch potentially vulnerable devices.
Cybersecurity Is Part of Patient Safety
The U.S. health sector has remained largely unscathed from recent high-profile cyber incidents such as WannaCry, Not Petya and Meltdown/Spectre. However, the sector remains a target for malware, phishing and ransomware attacks due to the diversity and depth of data, ease of access and interconnectedness of the industry.
The healthcare industry has a great opportunity to use cybersecurity to protect the whole patient. This goes beyond the patient’s physical, mental and emotional health, and addresses other measures of well-being, for example, patient privacy, financial security and socioeconomic status. The growing interconnectivity between medical devices, health IT, EHRs, wearable devices and patient access to their own data has made the inclusion of cybersecurity a critical component of the patient safety and protection discussion.
—Produced by Kevin Brault, principal, Deloitte Risk and Financial Advisory, and Federal Health Sector leader, Deloitte & Touche, LLP
* FDA notice, August 29, 2017: https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm573669.htm