David Martinez, Security Practice Director for Technologent, was interviewed for Patient Safety & Quality Healthcare Magazine. Martinez helps explain the unique case of healthcare data when it comes to protective measures, as well as the three principles to data security: confidentiality, integrity and availability.
Read through the full interview here: https://www.psqh.com/analysis/the-impact-of-rapid-digital-transformation-protecting-healthcare-data/
By Matt Phillion
COVID-19 created a reckoning between healthcare and technology as we became reliant upon remote workers, telehealth, and more in order to keep patients and staff safe. During the pandemic, the healthcare industry has seen a 50% increase in cyberattacks, and the cost has been astronomical—roughly $7.13 million to address each incident, on average.
Ransomware in particular has become a relentless challenge for healthcare. Sixty-seven percent of healthcare delivery organizations have been targeted by ransomware during the pandemic, and a third of those organizations have been attacked more than once. Ransomware is finding favorite pathways into healthcare organizations, as well: It’s estimated that 90% of phishing emails—which are growing cleverer and more effective—contain ransomware.
“There’s a vast amount of patient information out there,” says David Martinez, security practice director with Technologent. “A lot of that data is stale, but it’s out on the dark web if people want it.”
So what can the industry to do get ahead of these cyberthreats and keep patient and hospital data safe?
Culture can get in the way of successful healthcare cybersecurity, Martinez says. “Healthcare systems somewhat sit back on their laurels and wait for compliance to move them in the right direction,” he says. “Compliance drives them to a place they have to be anyway, and they don’t want to chase a rabbit down a hole; they want to do this to the letter of the law.”
Different aspects of healthcare are at different kinds of cybersecurity risk, so there isn’t one fix for all of the industry’s security challenges.
And even with telehealth expansion, security for brick-and-mortar facilities remains vital. “The pandemic really showed people who were forced to experiment with remote work that you can’t be a remote physician most of the time—you can do telemedicine, obviously, but for surgery and specific treatments you’ve got to be in the building to treat the patient. So physical security comes into play as well,” says Martinez.
Security awareness training is a big part of protecting your data. Staff need to know they can’t plug a USB drive they find in the parking lot into a facility computer, for example. But many vulnerabilities in healthcare come from application manufacturers, Martinez says.
“Hospitals in many instances run older operating systems that can be antiquated—I’ve seen hospital devices running on cobbled-down versions of Windows XP,” says Martinez. “It’s very difficult for the hospital to update that app or run the most current version, and that comes from the manufacturer not pushing to work on an updated operating system.”
He observes that while healthcare is on the bleeding edge of operational technology, it can lag behind on secure technology.
Who steps up to the plate
That lag isn’t always by choice. Healthcare relies on divergent systems and tools that aren’t necessarily as updated as they could be and aren’t necessarily designed to work together.
“It’s hasty to paint healthcare with a generalized bucket—we need to be a little more granular to see what security problems exist between both sides,” says Martinez. “Many have mixed or hybrid environments.”
Where security was once considered a specialized concern, Martinez says, it’s now become everyone’s job. To this end, it’s worth ensuring staff know that data security isn’t just about money or marketing, but also about patient care. “Having a patient’s records compromised impacts your ability to treat the patient properly,” he says.
There are three principles to data security, Martinez says, and by spelling them out staff and providers can get a better understanding of data security’s impact on care:
- “Confidential data has to be used only by the person for whom it is intended,” says Martinez.
- “Integrity is making sure the data hasn’t changed since the last time you left it,” says Martinez.
- “Availability addresses the ransomware perspective,” says Martinez. Ransomware encrypts the stolen data, rendering it unavailable for use in patient treatment.
With these three concepts in mind, more potential challenges bubble up. If the data doesn’t have integrity, you’ve lost the chain of custody, and that means someone will have to go back through the record and make sure it hasn’t been manipulated. For example, if a patient’s record notes an underlying heart condition and the record is encrypted, held for ransom, and later restored, does the record still indicate that underlying condition?
“A lot of those files are not individual files,” says Martinez. “They’re part of a larger database. Without data integrity, you can’t be sure it’s not been manipulated.”
Part of the challenge in keeping healthcare apps and programs secure comes from their long development cycle. By the time the app has been finished, tested, and rolled out, the operating system it was built for may have moved on, or there may be new patches and vulnerabilities that affect the app’s functionality.
“You’re going to have to patch it and then make sure the patch doesn’t break anything,” says Martinez. “Eventually the developer is going to want to make money. Software is expensive, plus maintaining healthcare apps come with liability and testing. What does that do to data security?”
The path forward
Sometimes, ignorance is mistaken for bliss when it comes to vulnerabilities.
“It’s not a popular answer, but I think a lot of folks don’t want to know, because once you know you’re obligated to fix it,” says Martinez. “So they walk a tightrope between knowing and having exact policies in play. Compliance and governance drive how healthcare deals with cybersecurity.”
There is a reliance on adhering to the letter of the law, and not wanting to do less—or, frankly, more—than the law requires.
“There’s a path forward, but it involves unification of information on the government’s side,” says Martinez. “These organizations really should have a federally driven standard that all states adhere to.”
Broadening the term “sensitive data” matters as well. “It’s not just about access” to the data, says Martinez. What happens outside healthcare when data is ransomed has a direct impact on patient care too, though often in ways we might not immediately think of.
“Say you’ve got a small private power supplier to a small hospital,” says Martinez. “Those data standards are not necessarily the same between those two industries. What happens if the power regulations aren’t viable and something happens and the grid is shut down in a rural area?”
Alternately, we’ve seen massive challenges to the supply chain over the course of the pandemic. If a food supplier is hit with ransomware and can’t make their deliveries to a hospital, that impacts patient care as well.
“Arguably, this has as much of an impact as having patient data hijacked,” says Martinez. “Security has become ubiquitous, but we still have a granular box where data goes instead of treating data with the same broad brush.”
Cost is frequently cited as a reason why cybersecurity lags behind, but it’s far more costly to remain unsecure. “If you look at what we spend coming back from breaches or data challenges, the cost of protecting data is far less than the cost of fees, fines, ransoms, and increased downtime,” says Martinez.
Ransoms, in particular, are hard to deal with retroactively. “It’s difficult to deal with paying after,” says Martinez. “A lot of the bad actors are not in countries that enforce [U.S.] standards. With ransomware, there’s no guarantee you’ll get your data back—you’re not dealing with Federal Express, you don’t get a tracking number. You’re dealing with someone who may or may not deliver.”
And even if you get your data back, remember the need to verify what is returned. “Either you pay the ransom or you pay a consulting group to try and pull your data back, and then you’re reviewing it for integrity and all sorts of things,” says Martinez.
Martinez says that we should cultivate an elevated perspective on data security and a more unified approach across industries.
“Data is data, and if we behaved that way across the board, we wouldn’t have conversations about who pays what when,” he says. “My grandfather used to say, ‘I never saved money by trying to be cheap.’ ”
Matt Phillion is a freelance writer covering healthcare, cybersecurity, and more. He can be reached at firstname.lastname@example.org.