FHIR, cloud, pop health and social determinants spark new security challenges
With increasing buzz around population health and social determinants of health, those two forces are poised to change philosophies around care delivery and how a hospital or health system works to keep the surrounding community healthy. While that likely means good things for patients and outcomes, it also drives more sharing, more data and more risk of losing your privacy.
There is also a big push for increasing a patient’s autonomy around their personal health information and the access they have to it, especially via personal devices which are likely to be used in the future to communicate directly with providers, if they aren’t already.
There is also the continued push toward interoperability and the use of AI and machine learning. David Finn, EVP of Strategic Innovation for CynergisTek, said that while all these things carry huge potential to positively impact healthcare delivery, they also create new dimensions of risk when it comes to cybersecurity.
“It has been my mantra for ten years that we have to change the way we think about data. It is our most valuable asset. It’s how we run our business and care for patients. But we have not adjusted our thinking about data to how the bad guys think of it. Until we think about what you could do maliciously with that information, I’m afraid we will not catch up with them,” he said.
Many of these trends are already exploding, so it’s no surprise then that they are all included in Finn’s list of top cybersecurity issues healthcare will face in 2019 and 2020. If they aren’t on your list of concerns, Finn says they should be.
1. FHIR and APIs
New proposed standards for interoperability and new FHIR standards for letting systems share health information, as well as facilitating patient access through open APIs, recently made waves through the healthcare landscape. Just as patients have access to other personal information like banking via apps on their devices, the notion is that they should have equal access to their PHI. Finn said that while he doesn’t disagree with that concept, data standards for APIs were proposed but no one talked about security, even though he said APIs are a known security risk in most industries. Such standards and policies need to have cybersecurity standards embedded as well. That means they have to be as big a part of the conversation as patient care itself.
“To call for that kind of sharing without addressing security points back to all the issues we had in 2018 and prior. We just haven’t elevated privacy and security to the same level of understanding or given it the same seat at the table as we work through a lot of these issues.”
2. Keep your business associates close and your data closer
In 2018, the number of cyber incidents related to business associates climbed, yet the concept of clinically integrated supply chains is gaining traction because it is a faster and more efficient way of operating, Finn said it also increases risk and exposure to third-party error or misconduct.
“Unless we design all these things with the security built in up front, I’m afraid we may actually be making things worse for ourselves,” he said.
3. Digital transformation and the silver bullet
That transformation, including telehealth, personalized medicine and the use of connected personal and medical devices, is most certainly upon us. While all those methods represent a potential positive impact on care and outcomes, they also mean more data, more formats, more cloud development and they all require specialized security needs, especially when it comes to medical devices. When it comes to medical device security issues, Finn said there are dozens or hundreds of vendors who claimed to have solved medical device security. They get a “fancy new tool” they think will find and fix everything. The inherent problem with the “silver bullet mentality” is tools are just tools.
“A stethoscope has never cured anyone. An x-ray has never healed a broken arm. They are very helpful in figuring out what’s wrong but we are getting away from basics by thinking there is a silver bullet. At the end of the day, it’s going to come back to using those tools to find out where your issues are and what you need to do. But we need people to go in and do that work.
If there is one area of innovation taking the healthcare world by storm, it’s AI and machine learning. And with good reason. From claims processing to diagnosing cancer, Artificial Intelligence seems to have limitless potential is numerous sectors of care delivery and operations. But much like the headaches we so often hear about when it comes to launching EHRs and other innovations, AI has the potential to be launched badly. And such tools can also expose systems to risk if security is an afterthought, not an equal player.
“It takes a really smart person who understands the data to look at what those systems are telling you and make adjustments that actually improve what you are doing. My hope is we start thinking about the security before we start jumping on all this new stuff. We have to do it. There’s no argument about that but we have to do it right.”
4. Moving to the cloud
Cloud computing presents another double-edged sword in that operationally, it is cheaper and more efficient, at least when it comes to up-front costs. Moving more data and applications to the cloud and getting that processing out of data centers ]makes a lot of sense, he said. But the pitfall is the frequent perception that once we have given something over to a cloud vendor they are going to protect it. Third party risk and lack of understanding of what the cloud model really means, how you recover when a cloud-based system goes down or in the case of an attack, the response, is going to be very different with a cloud-based system versus if all that data and applications were in your data center, where you have control over everything.
We need to back up and look at how we are doing it, Finn said. First and foremost, more front-end vigilance is needed when it comes to arbitrating contract requirements and fleshing out potential vulnerabilities. And whether you are cloud-based or if you are keeping it all in-house, you still need a detailed response plan and recovery team for if your cloud goes down or is taken down by cybercriminals.
“Just like in your data center you have to have a disaster recovery plan and you have to test it, you still have to have an incident response plan and you have to exercise it to make sure you’re not missing anything,” Finn said. “And we just typically don’t do that with our cloud providers.”
5. Phishing is still a force to be reckoned with
Finally, Finn said that despite rampant usage and success with phishing attacks by hackers, awareness and training related to phishing-related events actually went down from 2017 to 2018. In fact, 2018 had more phishing attacks than ever before in healthcare. It is imperative that this seemingly simple method of invasion be treated with the utmost urgency.
“It comes back to awareness and training which will keep us focused on the real issue which is how we think about data and how we use it,” Finn said.