Bringing cybersecurity and health IT together to support patient safety
The expansion of cyber-physical systems in healthcare, particularly the IP “heartbeats” scattered across hospital networks, has extended cybersecurity beyond its IT legacy of monitoring downed emails and site availability in a clinic. As we seek to accelerate the application of cybersecurity to protect the field of medicine and its evolving cyber-physical nature, patient safety should be our guiding star.
Healthcare organizations already understand priority; patient safety and the Hippocratic Oath guide the work of health professionals. Regardless of the obstacles, healthcare teams tirelessly support the mission of saving patients’ lives. The same is not always true for the IT professional trying to strengthen cybersecurity in a hospital.
Although, to be fair, healthcare professionals are usually well-resourced to win the battle against patient illness, while hospital IT teams often lack the people, processes and technology support they need to thwart ransomware, device hacking, and other cybersecurity threats.
In the field of cybersecurity, security as the protection of human life is a relative term, depending on the sector. Industrial control system security, for example, readily accepts that privacy is not a priority; availability is. This includes resources to ensure paper mill ovens operate at a safe temperature so as not to harm nearby humans. It also includes support structures to monitor water facilities for signs of digital tampering and safe environmental treatment (eg no sewage flooding).
Security in a consumer security world, however, treats both security and privacy much more lightly. For example: to date, consumer health monitoring apps have introduced unacceptable levels of risk to the medical community as they impact patient safety (inaccurate blood pressure measurement, etc.).
Considering that the medical and cybersecurity communities face monumental and imminent threats to human life based on hacking and geopolitical cyberthreats, I would like to bring the two parties together to consider how to jointly improve protection in the health sector.
My view is that we can implement and treat cybersecurity in healthcare the same way as patient safety – disciplined process, speed, and oversight with expert human judgment. This approach can also help the IT department of overburdened hospitals to step up their efforts to deal with the current threat landscape, with the help of experienced cyber specialists.
Let’s break it down and consider how we can work together.
When it comes to processes for patient safety, medical fields understand their value. But IT needs more support to step up its cybersecurity efforts to achieve the same level of rigor.
Processes such as patching Data servers or guest Wi-Fi monitoring require people and technology. When was the last server scan? What was discovered? Who acts on anomalies? Are they automatically notified? We can better support IT with security automation (technology) managed by SOC experts and threat analysts (people).
For the cybersecurity professional, a disciplined process typically includes setting deadlines in the security program to perform regular expert checks, especially on assets or workflows that impact patient safety. This may include checking infrastructure configurations. Constant monitoring is also a disciplined process, as is threat analysis expertise, to know which alerts deserve the IT manager’s attention and require action, and which do not.
Agreeing to a disciplined process approach on both sides can improve healthcare cybersecurity maturity levels.
Patient information needs to be passed quickly to medical care teams. Likewise, threat and system information needs to be delivered quickly to IT and cyber teams. This can best be achieved through standardization and automation (if possible). Taking the time to properly configure processes can reduce wasted time later, leading to faster protection/response.
Hospital IT managers should strive to identify cyber-physical infrastructure that may impact patient safety across various hospital departments and create a prioritized list. The cybersecurity team can align risk assessments and route the service level agreement (ALS) communications accordingly. If an alert reveals ransomware in one part of a hospital’s network, for example, other parts of the hospital can be safely taken offline to prevent the spread, if the impact on patient safety has already been analyzed and understood.
Speed of execution should also be addressed upfront, as many cyberattacks occur during off-peak hours and holidays. Cybersecurity pre-work involves knowing who to call and how quickly a call should be returned to protect patient safety (don’t forget a hard copy of phone trees when the network is down!). Healthcare professionals know all of this from the emergency room, where they often call the appropriate healthcare team specialist.
The shared priority of patient safety means that timeliness is critical and respected by both teams.
Recent research indicates that diversity improves performance, and healthcare already recognizes the need for varied disciplines, credentialed specializations, and a diverse population.
To improve cybersecurity in healthcare, a diverse set of technical professionals must be tapped to cover the vast threat landscape. Again, the mission is patient safety. Leaving the IT manager alone to miss the opportunity to find something faster, learn something relevant, and take the right mitigation action at the right time.
As in the field of health, nothing replaces the human in cybersecurity: a human who knows the network, knows the patient, knows the attackers, etc. Ultimately, he must make the tough decisions to keep patients safe.
I hope this summary leads businesses and healthcare professionals toward a better understanding of how our two sides of the same coin can come together to achieve the common mission of protecting patient safety.