The Spoke / Safer Healthcare Requires Cooperation Subscribe

Computer with stethoscope on it
In an increasingly interconnected world, quality healthcare and cybersecurity are not mutually exclusive.

Healthcare is in the midst of a revolution. In some countries with universal healthcare, such as France, patients carry with them a chip card that allows a healthcare provider to access a patient’s medical history instantly. In the U.S., companies such as Open mHealth are promoting the storage and sharing of health data within a single structured platform so that healthcare providers and other users can access the same data across a range of software and devices. Still, the truly effective integration of the web into the U.S. healthcare system remains an unrealized dream, and failures in cybersecurity are largely to blame.

The enhanced, though by no means complete, interoperability of electronic health records (EHRs) and medical devices is already increasing the efficiency of healthcare delivery. Patients can now access their records anywhere through gateways that their providers have designed or purchased from third parties. Doctors can free themselves from the burden of maintaining copious amounts of paperwork while, theoretically, maintaining the privacy of records through layers of online protection. Yet, as healthcare practices welcome the inter-networking of physical devices, and integrate EHRs, system vulnerabilities have only become more prominent. With tight budgets and high overhead costs, hospitals are slow to update technology. At the same time, hackers keep getting better at circumventing safety measures.

A major obstacle to achieving a fully networked healthcare system is that the burden of security and privacy legally lies with healthcare providers. Institutions must prioritize security in order to comply with HIPAA. Current measures, however, including a lack of standardization and caution unto inaction in updating technology, hinder rather than promote health care delivery. Within the past few months, hospitals across the world have suffered from cyber attacks, resulting in massive data breaches and workflow disruptions. Gaps in cybersecurity are widespread, and they affect nearly anyone who seeks healthcare in the modern age.

Healthcare is a multi-billion dollar industry, and its facilities, filled with intimate personal information, are an attractive target for hackers seeking to undermine trust, access financial information, or acquire ransoms. Ransomware is commonly used because of the high return it offers on low input costs. Usually found in easily shareable and downloadable file attachments, ransomware encrypts databases to the point where they are indecipherable and unusable. Hospitals suffer 88 percent of ransomware attacks in the U.S., with an estimated cost of $6.2 billion per year. Attacks often succeed because of a lack of preparedness, training, and workforce capacity. Dan Waddell, director of the cybersecurity and IT security professional organization (ISC)²,  has emphasized that healthcare facilities need to widely train individuals in order to recognize, defend, and recover from attacks. As healthcare delivery is critical and urgent, most hospitals, with patients in the waiting room, do not have the luxury of waiting for data to be restored or recovered. Hospitals often pay the ransom.

The obstacles to achieving a fully networked and secure healthcare system are significant, and they require a balanced approach. Good healthcare and good cybersecurity require increased communication between security experts and doctors on what innovations are necessary and easily integrated within the current infrastructure. With a 1.8 million worker gap in the cybersecurity workforce projected by 2022, doctors and other professionals in the field will have to be innovative by suggesting and developing  new measures themselves. We should recognize the increasing salience of cybersecurity by integrating it within existing medical programs and institutions. In fact, as it stands healthcare and cybersecurity are often at odds. Koppel, et al.’s 2015 study revealed that many healthcare professionals regularly circumvent security measures, not out of malice but in order to do their jobs effectively. Some doctors maintain that the intricacies of elaborate security programs result in technical glitches that impede on routine practices, such as relaying a prescription. Other physicians find their practices stalled by security measures. As Koppel, et al. found, a doctor easily spends 1.5 hours of a 14-hour workday merely logging-in to various password-protected layers. Thus, the onus of security increases the workload on physicians. A 15-minute consultation with a patient can require the physician to do 45 minutes of paperwork and updating EHRs. Hospitals need more security, but healthcare and cybersecurity need better integration so that security is not to the detriment of the efficiency and quality of healthcare.

Governance and regulation should be part of the solution, but they may not be able to solve the problem entirely. Despite widespread support for industry-wide standards among patient and physician respondents, significant gaps in comprehensive regulations exist. In June 2017, following several ransomware attacks, the Health Care Industry Cybersecurity (HCIC) Task Force published a report which underscored the critical condition of healthcare cybersecurity and offered six high-level solutions. These imperatives focus on streamlining governance; improving the resilience of medical devices; increasing the workforce capacity; promoting awareness; researching new protection mechanisms; and, critically, sharing information across the industry. On July 14, 2017, 38 governors announced their pledge to strengthen efforts to protect state systems. In order to address the cyber-workforce gap, the governors agreed to increase the number of related degree programs in colleges; enroll and train veterans; and encourage institutions to pursue a special National Security Agency certification. However, even these measures do not consider the compatibility of medicine and cybersecurity. Only innovators among security providers and healthcare providers alike can assess and react to how well new security measures integrate within the hospital setting—by monitoring patient- and doctor-user satisfaction.

Cybersecurity should not impede on medical practice; it should strengthen it. New measures should make cybersecurity easier, safer, and more accessible in the healthcare setting. New authentication techniques and data segregation could help streamline security as well as increase the time doctors spend with patients. In an increasingly interconnected world, cybersecurity must be balanced with increasing the quality of healthcare. To achieve a fully networked and truly efficient healthcare system in the U.S. will require creativity and collaboration on the part of everyone involved—security professionals, doctors, and patients alike.

Amal Cheema is an Albright Fellow and a 2017 graduate of Wellesley College, where she pursued a BA in biochemistry and in political science. She is currently pursuing a Thomas J. Watson Fellowship on organ donation across religious and cultural communities.

Photo Credit: James Baker, "Workspace" via, 25 September 2017.