Hospitals must factor patient safety into security strategies
Hackers have proven they can get through hospital networks into medical and Internet of Things devices, which is why it is crucial that patient safety be prioritized when outlining a security strategy to make sure that hackers can’t physically affect patients.
“A CISO should talk in the risk management language of the business, not in the technical management language of the information security field,” said Bryan Hurd, senior executive, security strategy, at Versive, a vendor that uses artificial intelligence to hunt cyber-adversaries and insiders. Hurd previously was head of the Microsoft Cybercrime Center Intelligence Program.
Security executives can make the connection to patient safety by talking to fellow business executives in terms that they understand. Caring for patients transcends beyond their health and includes their information.
“A breach of a patient’s record can lead to identity theft and, worse, medical identity theft,” said Anahi Santiago, chief information security officer at Christiana Care Health System in Delaware. “Medical identity theft is serious and can cause a patient significant financial and physical harm.”
If someone uses a stolen identity to bill fraudulently or to receive care, for instance, the costs of that care can amount to hundreds of thousands of dollars. There currently are no mechanisms for patients to proactively protect themselves.
“An incorrect medical record, due to someone using a false identity, can lead a clinician to make a diagnosis or clinical decision based on bad information,” Santiago explained. “For example, a clinician may order a blood transfusion based on the wrong blood type. The results can be detrimental to that patient.”
And there is a risk in the use of medical devices and their vulnerabilities, she added.
“Although I have not yet heard of a confirmed exploit of an actual patient’s safety as compromised, it’s only a matter of time before this particular threat becomes a reality,” she said. “As such, we need to remain vigilant in the use and security of those medical devices.”
Outside of ransomware, healthcare professionals aren’t often talking about the specific connection between information security and patient safety. Making the connection can help differentiate an organization in the field.
Hurd said that securing patients records should be as critical to hospitals as basic cleanliness, hygiene and procedures designed to stop physical infections.
“Those healthcare organizations that can ensure safety in the physical and virtual realms for their patients will benefit from a higher trust, the true critical component in healthcare,” he added.
There is a great deal of discussion, and hype, about IoT devices in hospitals impacting patient care. Hospitals currently have physical confirmation protocols that often mitigate initial concerns. Physical confirmation of blood typing, confirmation of dosages by multiple parties, and so forth.
To make sure patient safety is properly factored into information security considerations, and to ensure the highest degree of patient safety, CIOs and CISOs must build a bridge to the C-suite and the board of directors to have timely and properly focused conversations about the convergence of information security and patient safety.
The National Association of Corporate Directors, for instance, offers guidance on implementing board-level cyber risk oversight.
One of the principles advises that directors should understand and approach cybersecurity as an enterprise wide risk management issue, not just an IT issue.
“For CISOs who have had difficulty getting the board’s attention, this guidance is an excellent tool to help to open those doors,” Santiago said. “Once those lines of communication are open, tying overall information security investments and initiatives to the core of the healthcare mission is critical. All of the risks to patient safety should be discussed with the board.”
The conversations should not focus on fear, uncertainty and doubt, though, she added. The conversations should align the core of the healthcare mission with the board’s task to oversee that mission, she said.
“These principles and the connection to the risks to patient safety can be a very engaging and enlightening conversation to have with the board,” Santiago concluded.