Within the past few months, hospitals across the world have suffered from cyber attacks, resulting in massive data breaches and workflow stagnancy. The enhanced interoperability of electronic health records (EHRs) and medical devices is increasing the efficiency of healthcare delivery and providing greater access to patients. Yet, as healthcare practices welcome the Internet of Things, or the inter-networking of physical devices, and integrate EHRs, system vulnerabilities will only become more prominent. The healthcare industry must prioritize security in delivering quality care beyond complying with HIPAA. Current measures, however, lack standardization and seem to hinder, rather than promote, health care delivery.
With cybersecurity added to the medical lexicon, doctors and other professionals in the field must discover new measures to adapt to the accompanying risks and challenges. As a multi-billion dollar industry, filled with intimate personal information, the healthcare industry is an attractive target for hackers seeking to undermine trust, access financial information, or acquire ransoms. A common attack — ransomware — is often used for its attractive high return on low input costs. Usually found in easily shareable and downloadable file attachments, ransomware encrypts databases to the point where they are indecipherable and unusable to users. As healthcare delivery is critical and urgent, most hospitals, with patients in the waiting room, do not have the luxury of time for data to be restored or recovered.
Hospitals suffer 88 percent of ransomware attacks, with an estimated cost of $6.2 billion. Successful attacks are often possible because of outdated technology and a lack of preparedness. Additionally, training and workforce capacity are both lacking. (ISC)² director, Dan Waddell, emphasized that healthcare facilities need to widely train individuals in order to recognize, defend, and recover against attacks. With a projected 1.8 million gap in the cybersecurity workforce by 2022, trainings must target every individual. Healthcare professionals already receive numerous trainings, and we should recognize the increasing salience and importance of cybersecurity by integrating trainings within existing medical programs and institutions.
However, even with advancements in fortifying security, some healthcare systems may continue to remain vulnerable. Koppel et al. (2015)’s study revealed that many healthcare professionals circumvent security measures, not out of malice but in order to provide better care. Additionally, some doctors mention that the intricacies of elaborate secure programs may result in technical glitches that impede on routine practices, such as relaying a prescription. Other physicians find their practice stalled by security measures. A physician could easily spend 1.5 hours of a 14-hour workday merely logging-in to various password-protected layers. Further, the onus of security increases the workload on physicians. In some cases, a 15-minute consultation with a patient requires the physician to do 45 minutes of paperwork and EHR. Hospitals need more security, but not to the detriment of the efficiency and efficacy of quality healthcare.
Despite widespread support among patient and physician respondents for industry-wide standards for cybersecurity, significant gaps in comprehensive regulation exist. Following the several recent ransomware attacks, the government and the private sector, which manages most of the Internet, have pivoted towards cybersecurity. On July 14, 2017, 38 governors announced their pledge to strengthen efforts to protect state systems. In June 2017, the Health Care Industry Cybersecurity (HCIC) Task Force published a report which underscored the critical condition of healthcare cybersecurity and offered six high-level measures. The implementation of these efforts should consider both healthcare professional and patient satisfaction and demand.
With increased regulation, new measures should make cybersecurity easier and more accessible. New authentication techniques and data segregation could help streamline security into the industry, as well as increase the time doctors spend with patients. However, the solutions are not as simple as imagined. Strengthening our cybersecurity through comprehensive efforts and training must be balanced against the quality healthcare.