Balancing cybersecurity concerns with patient needs in an era of increased risk
Significant security incidents are common occurrences in healthcare organizations worldwide. In fact, 82% of hospitals reported they had experienced a significant security incident in the past 12 months, according to the 2019 HIMSS Cybersecurity Survey.1
“Today, information security is a top C-suite priority in the healthcare industry,” said Paul McRae, senior director of global healthcare programs at ServiceNow, as he kicked off a panel discussion on cybersecurity at the ServiceNow Knowledge 2019 Conference in Las Vegas. “Patient care, safety, and privacy are at risk. Healthcare as an industry has responded by creating a culture of governance, risk management, and compliance.”
The challenge for healthcare organizations, then, is to optimally communicate necessary information to patients while also managing compliance with regulations such as HIPAA.
To address this challenge, an important first step is to identify all the critical systems and their business owners. Healthcare organizations should consider their business partners’ systems, as well, said Fausto Grelli, Head of Digital Services Enablement at Novartis. “We have a significant number of third-party vendors in every area of the organization. Tracking the risk with our vendors is crucial for us.”
Achieving the balance between optimal communication and regulatory compliance is a sticky wicket for healthcare, said Claude Council, senior manager of cybersecurity at Shriners Hospitals for Children. “The problem is that we could quickly bankrupt the organization if we provide absolute security with zero risk. There has to be a balance between risk and providing patient care, which is the organization's main mission.”
Of course, not providing enough security can result in dire consequences, said Michael Parisi, vice president of assurance strategy and community development at HITRUST. “At the end of the day, if there is a medical device that could be compromised, if there's information that is incorrectly input into a EHR or into a medical record, if a prescription is incorrectly administered, all of that can ultimately result in the loss of human life. It doesn't get any more real than that.”
IT leaders also should perform risk assessments based on HITRUST and then notify business owners of where they need to increase security. To accomplish this, IT leaders can use an algorithm to calculate risk in each system and then let business leaders decide if the level of risk is acceptable. This approach makes it possible for organizations to balance between providing security and allowing internal customers to provide patient care.
Communicating risk to leaders, however, can be labor-intensive. Doing so can involve scouring through spreadsheets, sending control leaders emails pointing out where security weaknesses exist and asking for updates to their systems — and then repeating the same thing two weeks later with the business leaders.
The ServiceNow platform provides timely and consolidated summaries of healthcare system weaknesses to all business owners and leaders. “What we're finding is that the business owners are becoming more engaged because they're seeing it,” Council said. “It's in front of them.” Because of this automated communication, in fact, Shriners has reduced control weakness by a significant percentage.
1. HIMSS. 2019 HIMSS Cybersecurity Survey. https://www.himss.org/2019-himss-cybersecurity-survey.