If you scan healthcare IT news regularly, you’ll notice a recurring theme: healthcare organizations of all sizes across the globe are dealing with an increasingly insidious, dangerous and expensive-to-resolve threat, and while it’s not biological, it is often infectious and can result in enormous financial and human costs.

Over the past couple of years, a steadily increasing number of hospitals and other healthcare organizations have reported data security breaches due to hacking, phishing and ransomware infections. These breaches have forced them to lock down clinical and patient information systems in an attempt to mitigate the risk of being held hostage to hackers’ demands for huge sums of money in exchange for the release of their files.

Three Ontario hospitals recently reported a ransomware attack, as have many other healthcare organizations around the world (including the May 2017 Wannacry attack on the U.K.’s NHS).

Rather than becoming more manageable as healthcare leaders scale up resources to minimize the threat, cybersecurity has only become more complex as hackers grow increasingly sophisticated in their attacks and the market for stolen health data evolves.

On Oct. 21, 2019, Joanne Templeton, Gevity Senior Vice President; Aaron Middleton, Gevity VP and Chief Security Officer; Shane Danaher, Divurgent Chief Operating Officer; and U.S. CIO Jason Ewing, presented at the Digital Health Canada Driving the Future of Digital Health 2019 conference on protecting patients in a digital world.

The following are the key takeaways:

The problem isn’t getting any easier to manage

Take a system-wide approach to cybersecurity

  • Unlike other areas of healthcare, cybersecurity is not about being the best at it or differentiating your organization from others; it’s about taking a healthcare-wide approach and working collectively to solve the problem across the entire sector, said Divurgent’s Shane Danaher. Healthcare organizations are under constant attack or are in imminent danger of one, which underlines the pervasive nature of the problem. This requires an organization to always be on the offensive; ensuring awareness, education and vigilance among the entire organization; and putting prevention and business continuity efforts in place in case your organization is the target. Shane cited a case study in which a large, multi-regional healthcare system was struggling to advance its cybersecurity program because it was too focused on defensive approaches and trying to solve individual security issues rather than approaching it more holistically. By first determining a governance structure, building a foundational Information Security (IS) governance program across the enterprise, establishing an IS awareness program, introducing risk management capabilities and defining metrics to measure the program’s maturity, the organization was then able to identify its cybersecurity Achilles heels and implement frameworks, programs, plans and activities to minimize the potential risks and ultimately advance security maturity.  

Cybersecurity is not just about tools and technology

  • California-based CIO Jason Ewing noted that the introduction of electronic medical records – and the ever-increasing need to be able to safely and securely share clinical and patient data within and across organizations – has been the major driver for tools, technology, policies and processes that ensure the privacy and security of that data. And while many healthcare systems and organizations have simply invested millions of dollars in IT security tools and hoped for the best, that’s not the only answer, he said. In fact, that approach has lulled too many organizations into a false sense of security. The bottom line, he explained, is that cybersecurity is not just an IT problem; a solid cybersecurity approach and framework is critical. It is essential to focus not only on security tools, but also on processes, controls and governance.
  • Cybersecurity teams need to avoid taking on business risks associated with security. For example, they need to think about issues such as who decides when a computer screen that displays patient health information should time out, as this impacts the workflow of clinicians. The entire workforce, and specifically frontline staff, need to know how to avoid phishing scams and other potential threats.  
  • The first step, Jason said, is to establish a governance risk and compliance structure that clarifies who decides what and the risk tolerance within the organization; the next is to build a risk registry so you have the full picture of your likelihood and probability risk posture, which will set the stage for safeguard and remediation efforts.
  • You also need to balance technology solutions against operational efficiency, he said: if the security process (such as multi-factor authentication) for accessing and sharing EMR data is overly time-consuming, clinicians are not likely to use the system and can discourage its use.

Ontario Health Teams requirements will drive a whole new cybersecurity paradigm

  • Gevity’s Aaron Middleton observed that the formation of Ontario Health Teams will change the way hospitals, physicians and home and community care providers deliver services, all supported by digital solutions. These solutions may include existing systems with expanded types of users, system consolidations across multiple organizations, and new patterns of interoperability. The result, he noted, will be a more complex cybersecurity paradigm than we have ever seen to date. This new landscape will be made up of multiple collaborating organizations, some of which may fall under different governance and security standards, and expanded access to patients and providers. Add to that mix an increasing number of internet-connected medical devices and the expectation that any patient or participant should be able to receive a unified response to a request for access to their personal health information from any OHT participant organization, and the mind-boggling complexity of the issue quickly becomes apparent. Building on what Shane and Jason had identified, Aaron observed that collaboration and alignment of culture, governance, process and standards will be fundamental to OHTs’ continued protection of personal health information.

Conclusion

The bottom line is that Ontario healthcare organizations that participate in Ontario Health Teams will have to focus much more on the issue of cybersecurity than they ever have and must prepare to respond more collaboratively than individually to the issue.