Cyber Resilient Digital Health: It’s Not Just About Security Anymore
Under the current state of technology access and similarly expansive threat landscape, it’s hard to fathom how quickly the entire state of healthcare and cybersecurity have drastically changed in just the last decade, let alone since the enactment of the Health Insurance Portability and Accountability Act (HIPAA) in 2009.
Just 10 years ago, four out of five of the largest healthcare data breaches were tied to human error. Only two of these incidents were tied to digital patient records and just one was caused by a nefarious actor.
The largest incident in 2014 was a network data breach at Community Health, which exposed the personal information of 4.5 million patients. For comparison, each of the top eight healthcare data breaches last year impacted over 4 million individuals.
In addition to staggering breach numbers, the healthcare sector now also faces recurring, systemwide disruptions to emergency care, payroll, pharmacy, prescriptions, and even provider offices.
As threats have evolved and expanded, digital health has followed. However, for many entities that find themselves in the have-nots of healthcare in terms of resources, effective cybersecurity defenses and policies have not moved as quickly. Some suggest this disparity is caused by resources, others to leadership or C-Suite buy-in. But the reality is that something must change. The change must absolutely start with leadership, and it must also permeate throughout the entire workforce.
Cyber Resilient Digital Health
For too long, provider entities have seen security as a list of boxes to check off as complete to meet the requirements of HIPAA. Unfortunately, cyber is often approached, assessed, analyzed, and managed from a functional perspective.
In the world of interoperability and complexity of the digital health ecosystem, measuring security measures and costs aren’t enough because nothing tied to cyber is ever finished. Cybersecurity tasks and trials will always be a massive undertaking.
The revised vision of cybersecurity may or may not require new tools, but it will certainly rely on a new conviction: Cyber Secure Digital Health. In the same manner healthcare entities had to shift their view on healthcare delivery, Cyber Secure Digital Health will require the same innovative stance for cyber resiliency.
Healthcare entities can no longer only focus on keeping data and patient privacy secure. Under the current state of threats and the obvious business impacts, it’s clear cybersecurity must be part of business strategy and performance as a capability. Leadership must incorporate policies, practices, and technology able to protect care delivery and the availability of systems.
To comprehensively assess the interconnected infrastructure and vendor connections, as well as cybersecurity capabilities within a healthcare enterprise means taking a holistic view of operational efficiency and the resiliency of people, processes, and the technology in use, as well as the maturity of practices, gap analyses, costs of ownership and operations.
The most common security performance measures available to enterprises, like vulnerability assessments, penetration testing, and risk analyses, measure exactly those points — coverage and utility, rather than patient care, operations, and business impacts.
The old way of measuring cyber maturity and resilience is not enough – nor has it been for more than a decade. Cybersecurity program, management, and measurement, coupled with the list of checked boxes, are increasingly inadequate to the task. Industry stakeholders, cyber leaders from major industries, and regulators have said as much for several years.
The voluntary Cybersecurity Performance Goals (CPGs) from the Department of Health and Human Services outline just where healthcare entities should start this new vision for Cyber Secure Digital Health. While these are certainly voluntary, the intent is to make them a requirement in the future.
For more information about Cyber Resilient Digital Health Practices, read the white paper “Cyber Resilient Digital Health: It’s Not Just About Security Anymore. How Do You Sustain the Management of Risk?” by David Finn, First Health Advisory’s EVP of Governance, Risk, and Compliance!