The current cyber environment means that it’s often not enough for healthcare delivery organizations to secure their own boundaries – as noted in a Cloud Security Alliance report this week. Health systems must also ensure vendor partners are compliant with privacy and security best practices.
Scott Pradels, CEO and cofounder of the virtual care platform Carium, sat down with Healthcare IT News to discuss the importance of effectively evaluating workflow process security and why he believes system-owned devices could present their own complications.
Q. How can healthcare tech teams most effectively evaluate security of tools or workflow processes?
A. Healthcare tech teams should evaluate the security of all solutions or workflow processes prior to implementation. Introducing any new technology into a healthcare system’s environment can create potential security weaknesses or exposure points.
HIPAA security policies require health systems to conduct a thorough risk analysis on a regular basis. This standard practice should be augmented by additional controls and services to ensure the highest level of data security is maintained and controlled.
A multifaceted approach to security is important, with the overarching goal being to provide defense-in-depth. Strong protections such as encrypted connections and protected health information, web application firewalls and intelligent threat detection can help ensure connections cannot be hijacked at any point.
In order to verify our security measures at Carium, an external team of security specialists also regularly perform rigorous security penetration testing to proactively detect and manage exploitable vulnerabilities.
Q. Why are system-owned devices not always necessary to secure an environment?
A. In many cases the devices and wearables used by patients do not transmit data directly to the care-delivery organization, which helps to mitigate against the risk of malware, ransomware or other malicious software. Engineers and developers reinforce risk management by placing barriers or buffers between the device providing the reading and the information systems of the hospital or other care-delivery organization.
System-owned devices could also cause additional barriers and unnecessary friction points for health systems and patients. Although system-owned devices don’t necessarily equate to being safer, they can be financially prohibitive, requiring significant time to recoup costs. For patients, needing to juggle personal devices with similar health devices could lessen adoption and effective utilization, providing a subpar user experience.
Q. What are the potential overall risks of a virtual care environment when it comes to cybersecurity and patient care?
A. The growth in the number of connected devices inevitably means there is an ever-increasing number of ways our technology can be hacked or exploited by those with bad intentions. Phishing and ransomware are the most significant security incidents, and a hot target.
In many cases, hackers secretly download PHI to sell on the dark web. Stolen records sell for as much as $1,000 each, according to credit rating agency Experian, as opposed to $1 for an individual’s Social Security or credit card record being compromised.
The U.S. Department of Health and Human Services issued a warning this year that Conti, a notorious Russian cybercrime group, has specifically attacked healthcare institutions in the past. Given the scale of the threat and hike in recent years in cybercrime targeting healthcare organizations, our industry needs to increase protection and be on high alert.
As noted in the Cybersecurity and Infrastructure Security Agency’s “Shields Up” Initiative: “The CISA recommends all organizations – regardless of size – adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets.”
Q. How can healthcare systems best select technology partners?
A. The bottom line is that no approach can ensure complete security. Healthcare, like other industries such as banking, have to balance risk management with scalable costs and realistic user experiences, along with platform agility and responsiveness. A measured yet assertive security posture that evaluates possible risks, takes steps to minimize identified risks, and maintains rigor and discipline within an ongoing security review process, [is] table stakes when selecting the right technology partner.
In today’s reality, if a technology company is serious about being in healthcare, it will understand the applicable HIPAA obligations and go above and beyond the basic security foundation required by regulation.