Michael Ebert discusses the state of cybersecurity in healthcare with IT security leaders from Hackensack Meridian Health and the University of Miami Health System.
Now more than ever, nuanced regulations, competing stakeholder needs, and the often-asymmetric adoption of innovations versus protections are greatly hindering the maintenance of patient data confidentiality, integrity, and availability. Collaboration and proactive implementation of a strategic cyberdefense strategy across organizations is imperative in today’s healthcare environment.
During the HealthIMPACT Live Winter Forum, Guidehouse Partner Michael Ebert discussed cybersecurity and innovation in healthcare technologies with Melissa Lawlor, Director of IT Security GRC at Hackensack Meridian Health, and Dr. Mauricio Angée, the Chief Information Security Officer at the University of Miami Health System.
They highlighted that while operational transformations and technological advancements are creating exciting new opportunities in healthcare, they are not without their challenges. Across both the commercial and public sectors, the healthcare industry is arguably the most varied of all in terms of critical infrastructure, including large patient care and medical research organizations like Hackensack Meridian Health and UHealth, as well as single practitioner providers, health insurers, and city morgues.
Congress passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996 and the Health Information Technology for Economic and Clinical Health Act (HITECH Act) in 2009. The rules have been expanded, most recently in 2018, but innovations in technologies have far outpaced regulations and patient protections in this (and other) areas.
Patient privacy laws are as much about how an organization handles patient data as they are about a platform’s technical specifications.
Both HIPAA and the HITECH Act were written broadly, as they must be achievable by all stakeholders that handle patient data, from single practitioner providers to interstate hospital systems. This can make compliance frustrating for covered entities because the regulations are not prescriptive.
However, as Ebert, who helped lead the development of the audit protocol for the US Office for Civil Rights, noted, we need to move beyond a compliance mentality. “There were 875 breaches last year with over 61 million health records,” he said. “And many organizations viewed themselves as being ‘HIPAA-compliant."
“They’re doing what we’re asking them to do,” said Dr. Angée. “As an industry, we’re saying, ‘We can’t do business with you unless you meet these [HIPAA] requirements,’ so Microsoft, Google, they went out and did that. But when salespeople say their product is HIPAA-compliant, the reality is there’s no such thing.”
“There is no stamp of approval,” said Lawlor.
This is particularly problematic for Internet of Things (IoT) devices like embedded pacemakers or glucose-monitoring systems that can be run with an app. Both Lawlor and Dr. Angée stressed the importance of thorough privacy and security technical reviews prior to purchasing any products or services from a vendor.
“You’d be surprised,” said Dr. Angée of what his teams discover when they really dig into the technology behind many IoT devices. “We’ve found no access controls; passwords are never changed, and admin passwords are used in the background.”
For smaller healthcare entities that lack robust IT or security teams, the proliferation of insecure medical devices poses a significant risk to patient safety and privacy, as well as their own financial health. According to data cited in the HIPAA Journal, healthcare data breaches are the most expensive of any sector, at $9.42 million per incident. But there is good news: “Now a lot of the [IoT and medtech] vendors are asking us, ‘Do you know somebody who can help us with this?’” Dr. Angée said. “Which is incredible.”
Hackensack Meridian Health and UHealth are working to mitigate the risk of cyberattacks.
For insecure devices already in the environment, as well as future technologies of which vulnerabilities may not yet be known, there are ways organizations can mitigate risk. Both Hackensack Meridian Health and UHealth vet vendors extensively and have privacy and security addendums that outline the exact requirements their partners need to have in place to safeguard patient data.
There are no exceptions. Lawlor said even physician agreements for joint ventures or leased practices must sign the addendum. Other steps, like segmenting devices that depend on the vendor to patch, and maintaining an accurate asset inventory, can also help reduce risks. Still, both Lawlor and Dr. Angée have struggled at times to balance the needs of researchers, who want to share data, and their implementation of security controls can sometimes prevent them from doing so.
“Security is never going to be the organization of now,” said Lawlor. She’s not necessarily the Hackensack Meridian Health researchers’ favorite person, she said— Hackensack Meridian Health uses geoblocking that disallows traffic from all but 10 countries in the world—but Lawlor and her team are working collaboratively with researchers and third-party experts to create an environment built with research in mind without increasing Hackensack Meridian Health’s susceptibility to cyberattacks.
The answer is a collaborative and proactive mindset.
“The thing we need to ask ourselves is: Are we creating a denial of service against our patients?” Dr. Angée said. “The question is always: How do we get to ‘Yes’?”
At UHealth, Dr. Angée said his team works closely with biomedical engineers who know to reach out before they add devices to the network—not after. At Hackensack Meridian Health, one hospital is using IoT devices for remote patient monitoring, allowing patients to receive some types of acute care from the comfort of their own homes.
Guidehouse, too, has helped develop automation technologies that can scale healthcare providers’ capacity as organizations around the country face a shortage of clinicians.
Underpinning all of this are the security fundamentals. “Just because the technology is changing, adapting, and evolving, doesn’t mean the security foundations change,” said Lawlor. “You still need access management and privileged access; you still need to be able to identify [and patch] vulnerabilities, and you still need to know your assets.”
A zero-trust security strategy is the only way to prevent breaches.
As more organizations move toward the cloud, keeping track of where sensitive data resides becomes increasingly difficult, increasing pressure on data security teams. Recent events in healthcare IT show that a zero-trust cyberdefense strategy is the only way to prevent successful security breaches and ensure no threat or vulnerability to the continuity-of-care model.