Opinion | Cybersecurity

Health-care sector is far too vulnerable to cybersecurity threats

The views expressed by contributors are their own and not the view of The Hill

The digitization of health care promises to be transformative for patients and medical practitioners alike. New technologies and techniques - including big data, machine learning and artificial intelligence - are already helping to make health-care delivery more efficient, effective and less expensive.

In spite of this vast potential, though, there exists a serious challenge that hospitals and health-care organizations have not yet managed to overcome: keeping patients' personal data out of the hands of hackers. 

Health care suffered more breaches last year than any other industry, according to the Verizon Data Breach Investigations Report. As a result, personally identifiable information was the most common type of data compromised. (Payment card and banking information were second and third, respectively.)

This has important implications. In the event of a financial hack, people can easily get a new credit card number or bank account - even a new Social Security number is possible. But if their health-care data has been compromised, they can't very well change their entire personal health histories.

The scope of the problem goes beyond data breaches. Cyber incidents can potentially impact the safety of patients through interrupting care operations, compromising the integrity of data and damaging medical devices.

So, what can health-care organizations do to protect the safety of their patients from cyber threats?

For starters, they need to devote more resources to safeguard their operations. When it comes to investing in technology, many health-care organizations opt to fund information technology (IT) infrastructure not cyber security.

On one level, this is understandable. The benefits of spending on IT infrastructure, such as making upgrades to server capacity or implementing a new HR system, are immediate and effective. They often result in cost reductions or improved productivity.

Investing in cyber security, on the other hand, is akin to buying an insurance policy. It's risk management for worst-case scenarios that may never happen. But at a time when cyber crime costs the world almost $600 billion a year, health-care organizations cannot afford to ignore this threat.

Investing in cyber security starts with hiring people with deep expertise and knowledge of the issues. Hospitals and health-care organizations are exceedingly complex bodies. But many lack an information security officer.

This needs to change. Having a dedicated person - and team - to develop and implement security standards, controls and procedures is a necessity. 

Next, hospitals and health-care executives need to cultivate a culture of security. This means that every member of staff - from upper management and top physicians to on-call nurses and EMTs - needs to be in alignment that cyber security is a priority.

Creating a culture of security entails a shift in mindset. Nurses and doctors and other medical personnel are busy people with competing commitments. Protecting precious patient data must be ingrained in their every routine. 

What's more, organizations must take a proactive approach to educating workers on cyber threats and counter-measures. After all, in any enterprise, employees are the greatest source of vulnerability to hackers.

Holding seminars that encourage employees to change their passwords every three months or remind them of email protocol is not enough. Not even close. Organizations must provide rigorous, ongoing training that helps employees understand how to create a more secure environment for their patients. Critically, organizations should also seek feedback to improve the effectiveness of the training. 

Creating a culture of security also requires that organizations prepare for times of crisis. No matter how good an organization's prevention tactics are, chances are it will one day be hacked. Medical workers and health-care administrators need to have a clearly defined incident response strategy.

What will doctors do when they don't have access to patient data? How will nurses respond when the ER is being shut down due to a breach? Whose job is it to communicate with patients during a crisis? And who will communicate with the media?

Health-care organizations need a blueprint - similar to a disaster recovery plan - that lays out the steps they will take in the event of an emergency.

Finally, policymakers play a role here, too. Today, the bar for compliance for patient data safety is laughably low. The danger is that hospital administrators and health-care executives are too comfortable. "We comply with the law, therefore we are secure," they think.

This extremely low bar makes hospitals very attractive to cyber criminals. We need stricter state and federal policies and more stringent requirements. The Health Insurance Portability and Accountability Act of 1996, centers around privacy; we need a similar law that's better focused on security. 

This is a crucial moment for cybersecurity in health care. If health-care organizations don't shore up cybersecurity, the next cyber incidents could directly compromise the safety of patients, and it will be too late to intervene. 

Mohammad Jalali is a member of the research faculty at MIT Sloan School of Management who specializes in public health and organizational cyber security. 

Outbrain