Cybersecurity in Healthcare: What’s Working?
A cynic might argue that cybersecurity in healthcare, like the overall healthcare system itself, is in critical condition. The growing number of internet-enabled medical diagnostic devices, the expansion of electronic medical records, and the prevalence of networked scheduling and billing systems, and inadequate employee training and sensitivity to cybersecurity issues has overwhelmed the healthcare environment. Healthcare employees are often forced to do more with less in order to keep up with technological improvements. As they scramble to do their jobs, employees pay less attention to cybersecurity issues. A recent data breach experienced by the University of California Davis Health system is a typical example of the healthcare cybersecurity problem. In May 2015, UC Davis officials discovered than an employee had responded to a phishing email, giving hackers access to his login credentials that the hackers then used to compromise the records of more than 15,000 patients. This event cannot be dismissed either as an outlier or as a problem caused by a careless employee because similar attacks have already plagued healthcare systems for several years. Because of the regulatory obligations they face under HIPAA, and in the face of competitive pressures from other healthcare providers, hospitals and medical centers are beginning to pay greater attention to cybersecurity matters. Their first order of business has been to improve efforts to attract and retain cybersecurity talent in the healthcare field. General industry trends predict significant shortages of cybersecurity employees over the next five years. Recognizing this, the healthcare industry will need to improve salaries for medical cybersecurity specialists in order to remain competitive and to retain talent that will be lured to other industry sectors that promise greater salaries and career opportunities. Higher salaries might create short-term budgetary issues for healthcare systems, but allocating more budgetary resources to cybersecurity personnel will be justified in view of the higher costs associated with recovering from a data breach. Developing a more robust healthcare cybersecurity workforce is one of six imperatives recommended by the US Department of Health and Human Services. The other five imperatives include streamlining cybersecurity leadership, defining better expectations for secure systems and devices, improving overall device security, increasing employee education, and identifying common risk exposures through better sharing of data and data breach experiences throughout the industry. Manufacturers in the medical internet of things (IoT) industry are already stepping up their efforts to comply with the imperative to improve medical device security. The core of those efforts includes development of cybersecurity standards that all medical IoT device manufacturers will build into their products for matters such as encryption, data storage, user authentication, software and firmware updates, and management of patches and bug fixes for identified security risks. These efforts are doing more than just keeping the patient alive and healthy, but ultimately their limitation is the same that is faced by all modern medicine. That is, just as medicine can treat and cure the patient but it cannot eliminate all incidents of disease, medical cybersecurity initiatives can insulate medical technology systems from hacking but it can never eliminate all cyber threats. Because the cyber threat risk will always be present, healthcare cybersecurity insurance is the final backstop to all medical cybersecurity efforts. Cybersecurity insurance will offer protection to a medical center, for example, where despite all education efforts, a careless or tired employee clicks on an email phishing link that opens the center’s network to a hacker’s prying eyes. That protection includes financial resources to help a center recover lost data and to restore damaged software and equipment. It can also cover liabilities to patients whose data was lost or stolen during a cyberattack, and fines levied by regulatory authorities for HIPAA and other violations. In view of this, healthcare cybersecurity insurance is one of the most effective strategies that does work in the healthcare industry.