A common adage in healthcare cybersecurity is that “people are the weakest link.” It is true in one sense—healthcare leads against other industries with 31% of cybersecurity related breaches being attributed to human error. However, if healthcare blames patients for not adhering to treatment plans, and the information security community blames people for cybersecurity problems, perhaps we’ve built systems that are not sufficiently proactive?
How the Landscape Has Changed
Quality of care is the top priority for all who work in healthcare. This means, as much as possible, we don’t want to introduce barriers to the delivery of care. COVID accelerated the digitalization of care delivery by breaking through physical barriers and pushing devices outside of hospitals and delivering remote patient care at an unprecedented scale.
But how does that impact cybersecurity? And what does it have to do with medical devices?
A hacker can exploit a device’s vulnerability as an entry point into a Healthcare Delivery Organization (HDO) network to then deploy a ransomware campaign. This will compromise an HDO’s network, inhibiting its ability to update electronic health records and use devices that rely on connectivity for making calculations (i.e., devices used in radiation oncology and sophisticated surgical robots).
HDOs regularly obtain patient social security numbers (SSN) or insurance information for billing purposes, or for the purpose of sharing data between systems. This same data can be used by a malicious actor to commit identity theft and requests loans, prescriptions, file insurance claims, open bank accounts, perform online transactions and even take out a mortgage, file tax returns, or claim rebates.
Why Doesn’t the Current Strategy Work
User cybersecurity training has a place and purpose; we cannot let our people proceed in a connected world without guidance and support. However, if I can’t train an algorithm to identify a potentially malicious email, should I really expect an employee to detect it?
Looking back at the history of connectivity in healthcare, our systems were not initially designed to be widely connected. Devices started out as analog,and then as software ‘became a thing,’ potential for improved clinical experiences emerged. Suddenly a modicum of data standardization meant patient health information could be more easily shared across the value chain. Rapidly adopting the USB, Bluetooth, internet, and now mobile/app-based care, connectivity is now ubiquitous with healthcare delivery.
At every step, the focus was on enhancing patient care. However, with each new point of connectivity, who in the value chain took on the burden of the potential cybersecurity vulnerabilities they introduced?
The medical device vendors used to deliver a device, ensure clinical operation and consider a contract fulfilled. The point and time of sale were the focus and hospitals would carry the residual cybersecurity burden until the device finally reached the end of its life (in many cases, this occured far past the manufacturer’s support horizon).
As connectivity has become de facto, the transfer of cybersecurity burden to HDOs is not sustainable. On the spectrum of security from proactive (preemptively identifying security weakness and adding controls to prevent exploitation) to reactive (merely responding to incidents), the HDO is limited to implementing reactive practices.
A single HDO must manage tens of thousands of devices, and in many cases has limited technical ability to modify or update devices, for fear of impacting regulatory approval and manufacturer warranties.
The Path Forward
Let’s take a look at an industry often perceived as having great cybersecurity practices: Financial services. Financial services, quite intuitively, have a lot to lose when a hacker succeeds. The average credit card user receives a call to warn of potential fraud whenever a transaction looks suspicious and deviates from the user’s typical buying patterns. Is this how financial services keep the average cost of a breach as well as the impact on their customers lower than healthcare? I hypothesize the ability to be proactive in detecting potential issues directly impacts the monetary commitment to cybersecurity in the industry.
Taking a page from FinTech, healthcare cannot remain reactive to dealing with cybersecurity risks. Instead, we need to design a new approach with the intentionality of proactively protecting our users. Our systems must grow to prioritize reducing the extent of reliance on users against unknown threats.
With software, there will always be unknowns and there will always be weaknesses. The best systems are those which do not rely on the user as the “human firewall”, and more importantly in patient care, the efficacy of a device. We must be intentional and prioritize designing security into devices if we are to ever change the preponderance of cyber risks in healthcare.
Our reliance on technology is here to stay: It has brought improved diagnostic capabilities, given us innovative treatment options, and reduced time, effort, and risk for patients. It is critical that the security component of this process is a positive experience for the user and/or patient, because it could be the difference between the success or failure of a cybercriminal.