Girish Raghavan, GE HealthCare on key ways to strengthen cyber resilience in healthcare sector
By Girish Raghavan,
We live in times when complexity is the new normal. The healthcare sector, particularly, has survived the most complexities in the last few years. The pandemic demanded more, and the reliance on digital shifted gears overnight. Now, simple as it is, cyber is a space pounding with threats.
The healthcare industry has been on the receiving end of multiple high-profile cyber-attacks putting patients’ safety at risk. We live in times when Electronic Medical Records are picking pace, and digital health is becoming a new reality. It means that information of high monetary and intelligence value— patients’ protected health, financial and personal identifying information, and intellectual property related to medical research and innovation- are all in the digital space. If not protected, it could mean the collapse of a complete ecosystem.
Between 2009 and 2022, 5,150 healthcare data breaches of 500 or more records have been reported to the HHS’ Office for Civil Rights. Those breaches have resulted in the exposure or impermissible disclosure of 382,262,109 healthcare records. The recent cyberattack on India’s top hospitals compromised the health data of millions of patients, from those who live in extreme poverty to high-profile bureaucrats.
Losing access to medical records and lifesaving medical devices hampers effective patient care, jeopardising patient safety and care delivery. Access to private patient data not only enables hackers to steal information but also alter data, which could result in severe effects on healthcare outcomes.
Even as cybersecurity experts blamed system failures and process-level data security gaps, the buck doesn’t stop here. As the pace of healthcare digitisation accelerates, it is imperative that we identify and comprehensively address the gaps.
Cyber Attacks threatening Medical Devices: Clinical outcomes follow
Virtually any medical device that connects to a wireless network is a potential target today.
Modern medical devices collect and transmit everything from biometric data, vital stats, medical history, and even billing data across departments. The data may be processed and stored in other devices, onsite or in the cloud. This information could fall prey to identity theft and counterfeiting in the wrong hands. The safety of medical devices is critical to patient safety.
There are possibilities where hackers can target third-party software hospitals to integrate medical devices from different manufacturers. Clearly, there is no room for complacency, and therefore, hospitals need to apply IT risk assessment and data security processes without exception.
Strengthening Cyber Security Resilience in Healthcare
Hospitals may soon have to pay penalties worth crores of rupees for failing to protect patient data. Under the Digital Information Security in Healthcare Act (DISHA) expected to be tabled in Parliament soon, the government proposes to set up a dedicated National Electronic Health Authority (NEHA). This regulatory body will regulate digital health products and services in the country. The entire digital healthcare value chain would come under its ambit – from the manufacturer to the end-user.
Cybersecurity Awareness Month reminds healthcare institutions to understand the threat’s evolutionary and persistent nature. It is time we integrated cybersecurity into the very fabric of our organisations. Remember, this is a constant game of cat and mouse where piecemeal efforts won’t be enough. Hospitals need an end-to-end IT risk and compliance process- preferably led by a full-time Cybersecurity Director or equivalent – as part of their operation structure.
The first step is to inventory all the devices you use and plan for contingencies in the event of an attack. Hospitals must also institute cyber security Standard Operating Procedures (SOPs) for their teams. For example, employees must be trained to identify and report phishing emails – a standard modus operandi used by hackers – to designated persons.
Though it may appear innocuous, a phishing attack can allow hackers to take over the entire network, blocking access to patient files. Tell-tale signs include suspicious-looking sender names, attachments, emails asking for passwords, etc. Secondly, all computers and servers should have multi-factor authentication enabled. Employees must be discouraged from sharing their login credentials.
Hospital management must conduct regular audits to assess cyber security compliance and emphasise its importance during team huddles and new-hire briefings. Firewalls and antivirus software should be updated regularly, and spam blockers should be used throughout the premises. Running mock drills can help prepare employees for actual emergencies. Remember, luck favours the prepared!
With the rapid adoption of AI and automation, the future of healthcare will be highly connected. Fully autonomous medical robots are already being trialled in the West. If the last decade indicates, this will bring new challenges for the industry in the years ahead. So, it is imperative that we proactively assess and mitigate the risk from hackers. It’s not a one-time affair. Investing in the latest technology and training can bring compounded returns over time regarding patient safety, regulatory compliance, and market reputation – take action today.
The author is VP – Engineering at GE HealthCare.
Disclaimer: The views expressed are solely of the author and ETCIO.com does not necessarily subscribe to it. ETCIO.com shall not be responsible for any damage caused to any person/organization directly or indirectly.