Expert roundtable explores the role of cybersecurity in ensuring patient safety
On September 12, 2023, Imprivata brought together leading cybersecurity and healthcare professionals for a panel discussion on ‘Navigating Challenges: Healthcare, Cybersecurity & the Government’s Role.’ This blog features key takeaways from the discussion.
Healthcare organizations have faced compounding challenges in recent years. Between staffing shortages, budget constraints, and increased regulatory guidance on cybersecurity, organizations are struggling to bolster defenses while ensuring security measures don’t hinder patient care.
Moderated by Dark Reading cybersecurity journalist Nate Nelson, this roundtable conversation offered perspectives on these challenges from a distinguished panel of experts:
Dr. Sean Kelly, Chief Medical Officer and SVP Customer Strategy, Healthcare, Imprivata
Greg Garcia, Executive Director, Health Sector Coordinating Council
Aaron Miri, SVP and Chief Digital Information Officer, Baptist Health
Continue reading for key highlights and insights from the conversation.
Cybersecurity is patient safety
Nate Nelson initiated the roundtable by going over statistics that expose healthcare’s pressing need for strong cybersecurity.
No one in the healthcare sector is exempt from cybersecurity risks. In fact, 99% of organizations report experiencing a cyberattack in the past 12 months, and 58% report an increased frequency of these attacks. The year 2023 will break the record for the most individuals affected by data breaches. Already this year, the medical information of over 40 million patients has been involved in data breaches.
While not every attack results in a data breach, many do. Breaches obviously hurt the bottom line, but they also imperil the patients that healthcare organizations care for: 32% of organizations report having to divert patients to alternative facilities after a cyberattack, and 31% say cyberattacks have delayed procedures and tests, resulting in poor patient outcomes.
These alarming numbers point towards the fulcrum of the roundtable discussion, which was, in the words of Aaron Miri of Baptist Health: “Cybersecurity is patient safety."
Digital transformation in healthcare
Healthcare organizations today utilize a range of digital health tools and technologies to improve clinician workflows and patient outcomes. This digital transformation will only accelerate in years to come. Unfortunately, new tools and technologies can also increase the attack surface and risk of potential cyber threats.
But the prevalence of life-changing and lifesaving technologies in healthcare will only continue to increase as digitalization evolves. Healthcare organizations need to understand the risks that arise from digital transformation and respond with increased communication with staff and vendors, and the effective management and mitigation of cybersecurity risk.
Approach digital transformation with a focus on risk management
Aaron Miri highlighted that open discussions about cybersecurity are crucial to risk mitigation. Furthermore, organizations need to prioritize managing and mitigating risk because it can never be fully eliminated.
“There are no failsafe, foolproof mechanisms to digital transformation,” Miri said. He went on to stress the importance of making sure your board of directors and leadership teams understand the impossibility of eliminating risk. Instead, organizations must determine how to accurately assess risks, so they can be properly managed.
Greg Garcia agreed, highlighting how technology vendors and healthcare organizations should form a partnership. “All sides need to clarify the commitments and responsibilities on the side of the manufacturer or vendor, and those on the side of the purchaser. Because cybersecurity is a shared responsibility.”
Close the gap between cybersecurity and patient safety
Dr. Sean Kelly offered a clinical perspective, pointing out that within the complex ecosystem of providers and vendors, you have doctors, nurses, and staff who need to use these systems to do their jobs. While it’s important to focus on “trying to keep the bad guys out,” he explains, “you still need to let the good guys in.”
Today’s technology has moved healthcare past the days when organizations had a physical perimeter. In the new, borderless environment of contemporary healthcare, you’re faced with either locking everything down to make technology super secure but difficult to use or opening it up to be super easy to use but very risky.
“If you make me wait [for access to the system] in order to be compliant and prevent harm to patient safety due to a breach,” Dr. Kelly said, “and it takes me a minute and a half to get through all the security layers, that person with a stroke has already lost brain. That person with a heart attack has already lost heart muscle.”
There's a delicate balance between mitigating the harm of a data breach and mitigating the harm of obstructing clinicians trying to do their jobs.
“The good news is it’s actually possible to deliver better security and more usability at the same time,” Dr. Kelly said. “And that’s the sweet spot.”
The role of cybersecurity insurance
The panel also discussed the role of cybersecurity insurance in healthcare. They agreed that while cyber insurance can play a key role in mitigating risk, there are challenges to its effectiveness and accessibility. For one, cybersecurity insurance is becoming harder to obtain unless organizations demonstrate robust and diligent cybersecurity practices.
Dr. Kelly emphasized the need for healthcare organizations to understand their specific cybersecurity policy requirements. “It's so hard to stay abreast of it all,” he said. “It feels like there's so many places trying to reinvent the wheel and just getting this verdict of insurance companies saying, ‘Oh, look, we're going to have to double your premiums and halve your policy and make you sign this waiver.’”
Aaron Miri agreed, “I believe cybersecurity premiums are increasing like 40% a year. To the point where it's becoming basically untenable for most organizations to have cybersecurity insurance.” Greg Garcia concurred, mentioning that some insurance companies are pulling out of cybersecurity insurance due to the increasing risks and costs.
But ultimately, anything that healthcare organizations do to fortify security will also help them get and keep cybersecurity insurance coverage.
The government’s role in improving healthcare cybersecurity
So how do organizations get to that sweet spot between tough security measures and ease of use?
Aaron Miri said, “"Start with the fundamentals. Know who's coming into your healthcare system, and who is exiting your healthcare system."
All panel members agreed that the government should provide incentives, funds, and resources for healthcare organizations to invest in cybersecurity, especially at a time when budgetary constraints present challenges.
Greg Garcia highlighted the need for government support paired with shared responsibility between healthcare providers and technology vendors. “We talk quite regularly about the issue of small, rural, critical access health systems that don't have the resources or expertise to invest in cybersecurity. That’s a major target for us – how we build a culture of cybersecurity into those organizations that really can't afford it.”
Aaron Miri mentioned the free government resources available to help healthcare organizations enhance their cybersecurity measures. "There are free frameworks out there provided by NIST [the National Institute of Standards and Technology], all paid for by your tax dollars. The NIST cybersecurity framework is downloadable.” He also mentioned free resources available from the Office of Civil Rights and the FBI. “You don't need to have unlimited funds to get started with good cyber hygiene.”
The sweet spot
“The future of healthcare security will involve leveraging technology to understand digital identity and control access to systems," Dr. Sean Kelly said. “Good technology, processes, and people can deliver better security and more usability simultaneously.”
He went on to stress the need to partner with industry experts or combine your own teams’ expertise with managed services when developing strategies to optimize both workflows and security.
To explore digital identity solutions that provide cybersecurity purpose-built for healthcare, read our whitepaper: Protecting patient privacy is everyone’s job.
You can also watch the full webinar here: Navigating challenges in healthcare.