Risk Assessments/Management, Cloud Security, Training

Health care ‘a culture of yes’: How EHR modernization raises cybersecurity challenges

New technologies, such as the cloud and EHR modernization, are fueling the expansion of the threat landscape and driving the need to address security challenges. (Photo credit: “Drs. Idowu Aimola and Francis Collins” by National Institutes of Health (NIH) is marked with CC PDM 1.0)

Discussions around the pandemic’s impact on health IT often focus on the rapid adoption of technologies to support the response and simultaneous expansion of overall risk. But COVID-19 also revealed some of health care’s greatest shortcomings, supporting the need to reconsider the next level of security able to better support clinicians and related workflows.

Before HIMSS21, PatientKeeper CEO Phil Meer discussed potential tech challenges in health care and where many leaders will likely drive key initiatives well beyond the scope of the pandemic. Namely, physician burnout spiked during the last year, which could be attributed to tech challenges that hindered the user experience.

Further, evidence shows that the sector still lacks true interoperability and struggles with disparate solutions designed to solve health care’s greatest problems. However, these platforms often fail to communicate with other tools that would provide more effective and efficient care.

Mobility is important more than before, and providers are looking to monitor patients, communicate with staff, perform consults, and order prescriptions without using a virtual private network (VPN). Overall, technology able to support remote care is no longer just nice to have, Meer explained.

“It’s now a necessity to have that tech wherever the physician chooses to practice. Our providers are operating in multiple arenas, and we owe it to them to give them the tools that we have in the other areas of our lives,” Meer added. “Health care deserves that mobile capability and the providers we serve and clinicians have come to expert that.”

Expanded digital footprint, risk

The modernization of the electronic health record often drives providers into a more hybrid cloud infrastructure, explained Chris Logan, VMware executive healthcare advisor. Providers will need to assess the long-lasting implications of the pandemic and overall cyber risks posed by the expansive digital footprint, to ensure they’re not inadvertently adding new risks.

EHR modernization is indeed taking shape with the goal of both running the health care system and providing user-friendly platforms. But now some providers are adding to the risk by taking the user session and putting it into the public cloud to deliver user experience at the point of care.

Recent VMware data found a 9,851% increase in attacks against the health care sector between 2019 and 2020, along with 239.4 million attempted cyberattacks against VMware clients. As such, the expanded, remote access points could have a devastating impact on the health systems.

Consider the multiple ransomware notifications in the last week: threat actors are disrupting patient care, leaking health information, and forcing some providers to pay ransom demands to quickly bring systems back online.

Health care security is unique in that users need swift access to platforms and sensitive information at the patient bedside to effectively provide patient care. But it's those same access points that are easily targeted by threat actors.

In general, health care has an innate “culture of yes.” If something is needed within the hospital environment and it can expedite or support patient care, often providers will make decisions or even system changes to make that happen.

However, quick decisions in the health IT space can create new vulnerabilities and the welcome mat out for attackers.

Cyber posture’s role in health care

These challenges demonstrate the importance of building a culture of cybersecurity within the organization to better combat the urge to cut corners, while driving education across the enterprise and into personal decisions, Logan explained.

How, then, should providers remediate some of these risks? For Logan, the key may be to leverage situational intel: a tool able to manage complex security operations, analyze data from multiple sources, and give insights to the security team to detect and mitigate threats.

When mirrored with threat intelligence and intrinsic security, Logan explained that providers are better able to trust and run workloads wherever needed and gain needed visibility into network connections and workloads. The tools don’t have to be bound to the EHR and enable security teams to better pivot and respond to risks wherever they are on the network.

A culture of cybersecurity can prevent the common mistakes made during risky decisions, as staff can better understand implications and the impact to patient safety.

Providers also need to get back to the basics and focus on configuration and patch management, remembering that they “don’t need to throw a tool at all the problems,” explained Logan. The same can be said for operations that reside in the cloud: those platforms must be considered part of the operating model, as well.

From that foundation, providers should implement policies that impart operational processes to the enterprise on why certain measures are in place, how they work, and the impact of changing security measures to speed up access. Combined with a zero-trust mentality that alerts the security team to changes, a provider can reduce potential risks.

The policy should also require steps for employees that want to make changes to explain the reasons behind the modification and the processes behind it. Logan explained that in time, these methodical measures will strengthen the modern health care environment. But providers “can’t come out of the gate swinging… Instead, they need to crawl, then run to make things better across the ecosystem.”

The importance of threat sharing

Small- to medium-sized organizations don’t have the security staff in place to tackle these issues, explained Logan. Previous data from the Department of Health and Human Services found that 1 out of 3 hospitals operates without a designated security leader and instead rely on IT or other staff leaders to handle security matters.

Although larger entities understand the importance and impact of these key security challenges, it’s clear that those organizations, their partners, and vendors, need to share some of these insights with smaller providers to enable better outcomes for patients, said Logan.

The segmented nature also exists between different health systems, where more often than not, providers are not sharing valuable threat intel that could better support the sector, explained Logan. Health systems have their “own little fiefdoms that they built, customized, and tailored to specific requirements.”

“But we need to start sharing that information to take the threat landscape and reduce it down,” he added. The same measures are needed for assessing available tools to better understand the potential effectiveness and functionality on the network and whether it addresses the operational complexity.

Key proponents of threat sharing include the Health Information Sharing and Analysis Center (H-ISAC) and the College of Healthcare Information Management Executives, which encourage health care entities to drop the silos and share threat information as it “only makes the community that much stronger when we can all run at the same speed.”

“Fifteen years ago, privacy was more important and security was an afterthought. But now we’re reaching a point in the patient journey where we’re more in-tune with threat and risk management, especially in larger health systems,” said Logan. “Strength here comes in numbers and makes the sector more open, honest, robust… and prevents the damage caused by attacks.”

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.