A panel of healthcare CIOs and technology suppliers discussed the challenges and opportunities for healthcare CIOs
It is no secret that ransomware and other cyberattacks are rising phenomenally across the world, attacking every industry sector possible and healthcare is one of the biggest targets. While the good news is, the healthcare sector is relying on technology that’s connected to the internet: From patient records and lab results to radiology equipment –facilitating patient care and engagement and clinical support; bad news is that those technologies, such as artificial intelligence (AI) and Internet of things (IoT) are often vulnerable to cyberattacks, siphoning off patient data, attacking hi-tech medical systems, or shutting down an entire hospital until a ransom is paid.
And now the worst news – despite the rising threat, the vast majority of hospital CIO/CISOs and physicians are not in a position to handle cyber security threats, even though they pose severe threats to patients, doctors and the entire healthcare organization.
At a recent CIO forum on ‘Cyber Security in Healthcare’, organized by the Bengal Chamber of Commerce and Industry (BCC&I) with Medica Hospitals and PwC, CIOs and IT experts in healthcare raise some pertinent issues faced by the sector. They also highlight strategies to improve cyber security in healthcare organizations.
"Despite suffering from ransomware attacks, organizations remain unprepared for the next round of large-scale attacks," said Vivek Mahadevan, Head - Healthcare Sales, NTT Data India. Quoting a Ponemon report on cyber security breaches in healthcare, he said that data breaches cost the healthcare industry USD 363 per exposed record, more than twice the average across all industries, and this needs special attention.
There are several challenges CIOs at many healthcare firms are facing at the moment, most importantly, they often fail to secure the funding for cyber security. “While attacks are becoming increasingly difficult to identify, prevent and mitigate, in mid-sized hospitals, underinvestment in cybersecurity has left many so exposed that they are unable to even detect cyberattacks when they occur,” according to Gunjan Kumar, CIO and Head New Initiatives, Regency Healthcare.
“The result is that while attackers may compromise an organization within a matter of seconds or minutes, it often takes many more weeks and sometimes months – before the breach is detected, damage is contained and defensive resources are deployed to prevent the same attack from happening again,” he stated.
Moreover, as organizations seek to protect their patient information from these growing threats, demand for healthcare professionals who are familiar with the current state of cyber security in healthcare is on the rise. However, Sheryl Jose, Head - Cyber Security, Emcure Pharma Group, observed a wide demand-supply gap as far as trained security personnel are concerned.
“The healthcare cyber security IT shortage is probably due to many hospitals' inability to meet the pay rates like their peers in the financial services sector, which is generally protected by considerably more robust cybersecurity than healthcare,” he mentioned, adding that the big hospitals are probably okay with attracting people and paying for the software and technology, but the smaller and mid-sized ones continue to reel under the crisis.
The panelists also agreed that one of the biggest challenges is that employee awareness and attentiveness to security is still an issue. As Girish Kumar, Vice President - Operations, Welcare Health Systems, noted, lack of basic security awareness among staff as well as state-of-the-art cybersecurity solutions has made the healthcare industry a favorite target for hackers. “If that’s done properly, the cyber security scenario in healthcare organizations is bound to improve.”
The panelists also agree on some of the most common threats that continue to haunt healthcare, which are:
- Malware and ransomware: Cyber criminals use malware and ransomware to shut down individual devices, servers or even entire networks. In some cases, a ransom is then demanded to rectify the encryption.
- Cloud threats: An increasing amount of protected health information is being stored on the cloud. Without proper encryption, this can be a weak spot for the security of healthcare organizations.
- Misleading websites: Clever cyber criminals have created websites with addresses that are similar to reputable sites.
- Phishing attacks: This strategy sends out mass amounts of emails from seemingly reputable sources to obtain sensitive information from users.
- Encryption blind spots: While encryption is critical for protecting health data, it can also create blind spots where hackers can hide from the tools meant to detect breaches.
- Employee error: Employees can leave healthcare organizations susceptible to attack through weak passwords, unencrypted devices and other failures of compliance.
Kumar also highlighted that another growing threat in healthcare security is found in medical devices. As pacemakers and other equipment become connected to the internet, they face the same vulnerabilities as other computer systems. To ensure patient safety, he recommends that both the manufacturer that creates the device and the healthcare facility that implants it take preventive security measures.
Strategies for improving cyber security
The panelists said due to the significant financial impact of data breaches in healthcare, CIOs/CISOs and the top management in medical organizations can play an important role in ensuring that they remain secure. As Shuvankar Pramanick, CIO, Sir Ganga Ram Hospital said, technology professionals in healthcare are continually developing new strategies and best practices to ensure the safety of sensitive health data, protecting both the patient and organization from financial loss and other forms of harm. “However, much is left to be done,” he added.
From the discussion, here are the takeaways for CIOs and IT leaders to help healthcare organizations improve their cyber security by implementing the following practices:
- Establish a security culture: Ongoing cyber security training and education emphasize that every member of the organization is responsible for protecting patient data, creating a culture of security.
- Protect mobile devices: An increasing number of healthcare providers are using mobile devices at work. “Encryption and other protective measures are critical to ensure that any information on these devices is secure,” says Jose.
- Train staff on handling computers: New employee on-boarding should include training on best practices for computer use, including software and operating system maintenance.
- Use a firewall: Anything connected to the internet should have a firewall.
- Install and maintain anti-virus software: Simply installing anti-virus software is not enough, says Pramanick. According to him, continuous updates are essential for ensuring healthcare systems receive the best possible protection at any given time.
- Have a Plan-B: Files should be backed up regularly for quick and easy data restoration. Organizations should consider storing this backed-up information away from the main system if possible and have a plan B in case of any failure.
- Control access to confidential health information: Access to protected information should be granted to only those who need to view or use the data.
- Use strong passwords and change them regularly: The Verizon report found that 63% of confirmed data breaches involved taking advantage of passwords that were the default, weak or stolen. Mahadevan notes, healthcare employees should not only use strong passwords, but ensure they are changed regularly.
- Limit network access: Any software, applications and other additions to existing systems should not be installed by staff without prior consent from the proper organizational authorities.
- Control physical access: Data can also be breached when physical devices are stolen. Computers and other electronics that contain protected information should be kept in locked rooms in secure areas.
Like with any other industry, cyber security in healthcare isn’t going to improve overnight. As experts believe, it’s going to take ongoing commitment, by many organizations working together, for patient protection to improve. Therefore fundamental practices, like staff members informed about potential scams and the importance of changing passwords regularly, can go a long way towards healthcare organizations better securing their networks and the onus lies on CIO/CISOs who are the custodian of this change.