Security Threats — A Threat to Patient Care

By Mark Walker, Security Consultant

Primary mission: Patient care

The fundamental goal of healthcare is the well-being and care of the patient. The way healthcare organizations accomplish that is evolving to include more and more technology, connectivity, and data analysis. There’s more data than ever flowing to and from individual systems in the healthcare sphere in an effort to provide the best possible care for patient needs. The challenge is further complicated by an accelerated number of devices being brought into healthcare infrastructures that enable excellent patient care.

Part of patient well-being and care is the confidentiality, integrity, and availability of the patient’s information

This influx of technology and data is a wonderful asset for patient care, but it presents a threat level unlike any that has existed before. The foundation of effective patient care is protecting a patient’s valuable data and the medical devices that serve them. But the healthcare industry is the number one target of cyberattacks, and it’s little surprise: The healthcare security environment is incredibly complex and vulnerable. Which means patient care is still in the balance, even when treatment is over.
Some of the main difficulties of achieving effective security in the healthcare space are persona conflicts, prioritization of the security budget, and picking and implementing an appropriate security framework.

Personas: Identifying the user motivations, expectations, and goals responsible for driving bad behavior

With all the devices available to achieve patient care, a common issue we run into is that different groups onboard dissimilar devices for various use cases. Every group or device may have distinct security personas based on its use cases. These personas are often bundled into the overarching healthcare organization’s persona, making it very difficult from an assessment perspective to go back and answer the necessary questions:
  • What exists in this environment?
  • What are the use cases and needs?
  • What are the controls in place?
  • How do we protect this data?

In this environment of accelerated medical device adoption, it’s common for healthcare providers to adopt new technologies for patient care without consideration for the architecture they will operate in. This approach of considering only the minimum requirements to solution functionality works in the short term for administering care, but without defining a policy to protect the assets involved, serves to invite patient harm in the form of data loss or exploitation further down the road.
The architecture is where these come together. Oversimplification in not explicitly identifying the broad personas into classes as a tool for the design of privacy and security technologies is where things go wrong. The goal should be to present the personas as a starting point for a detailed discussion about the different types of target use cases in the design of privacy and security technologies.

Unclear priorities for budgeting

In most cases, hospitals and clinics are businesses as well, with budgetary requirements to meet. There’s often a push to do more with less, from a business perspective, and to move to bigger, better, faster technologies and platforms. But there’s only so far a budget can go. What we often see is that healthcare organizations end up with an environment of disparate technology solutions inviting a host of security concerns, but no clear path to address them.
It’s important work to understand what endpoint devices do and what they’re connected to in order to set your priorities budgetwise. Often, there may be outdated, but expensive and necessary devices, like electron microscopes, that are not slated to be replaced but also don’t support a newer, more secure, Operating System (OS). So, from a security perspective, IT must consider whether the capabilities exist to isolate or integrate those types of devices and make a plan for enhancing the security posture of the overall environment while continuing to enable all necessary technologies.

Establishing a framework

To put it simply, if you don’t have a framework, you can’t know to the fullest extent what you’re doing. The best intentions can’t protect patient information when policies and procedures aren’t defined, documented, and implemented consistently.
The HITRUST Common Security Framework (CSF) is a comprehensive, flexible, and efficient approach to regulatory compliance, risk management, and privacy. The HITRUST CSF is the most widely adopted security and privacy framework in the U.S. healthcare industry, originally created for healthcare, designed to enable organizations to demonstrate compliance with multiple standards and regulations, including HIPAA, NIST, ISO, PCI, GDPR, CMMC, and more.
It’s a monumental task, implementing a framework like this, but when it’s done, it empowers your organization with proper documentation, making it simpler to report properly and to deliver information on priorities to executive management in a clear-cut way.

Bottom line

The overall security profile of the healthcare system is just as essential to patient care as the healthcare services delivered. When the patient’s physical need is met with these systems, but their data is unprotected and put at risk, that’s not a holistic perspective of patient care. Data compromise is a threat to the patient, even when their physical health needs have been met.
For more information on security in the healthcare industry, check out these related resources: