The expansion of cyber-physical systems in healthcare, particularly the IP “heartbeats” dispersed across hospital networks, has stretched cybersecurity beyond its IT legacy of monitoring for downed email and site uptimes at a clinic. As we look to expedite applying cybersecurity to protect the field of medicine and its evolving cyber-physical nature, patient safety should be our guiding star.
Healthcare organizations already understand the priority; patient safety and the Hippocratic Oath guide the work of medical professionals. No matter the obstacles, care teams tirelessly support the mission to save patient lives. The same is not always true for the IT professional trying to bolster cybersecurity in a hospital.
Though, to be fair, medical professionals are usually granted ample resources to win the battle against patient disease, while hospitals’ IT teams are often lacking people, processes, and the technology support they need to foil ransomware, device hacking and other cybersecurity threats.
In the cybersecurity field, safety as the protection of human life is a relative term, depending on the sector. Industrial control system security, for example, readily accepts that confidentiality is not the priority; availability is. That includes resourcing to ensure paper mill kilns operate at a safe temperature so as not to harm humans nearby. It also includes support structures to monitor water facilities for signs of digital tampering and safe environmental treatment (e.g., no flooding wastewater).
Safety in a consumer security world, however, treats both security and privacy far more lightly. For example: to date, consumer health monitoring apps have introduced unacceptable levels of risk to the medical community since they impact patient safety (inaccurate blood pressure measurement, etc.).
Considering both the medical and cybersecurity communities face monumental and imminent threats to human life based on hacking and geopolitical cyberthreats, I’d like to rally both sides together to consider how to jointly improve protection in the healthcare sector.
My perspective is that we can set up and treat cybersecurity in healthcare the same way patient safety is addressed – disciplined process, timeliness, and oversight with expert human judgment. This approach may also help overburdened hospital IT scale their efforts to face the current threat landscape, together with help from experienced cyber specialists.
Let’s break it down and consider how we can work together.
When it comes to processes for patient safety, medical fields understand their value. But IT needs more support to ramp up their cybersecurity efforts to reach the same level of rigor.
Processes such as patching data servers or monitoring guest Wi-Fi require people and technology. When was the last time the server was scanned? What was discovered? Who is acting on anomalies? Are they automatically notified? We can better support IT with security automation (technology) managed by SOC experts and threat analysts (people).
For the cybersecurity professional, a disciplined process typically includes defining timelines in the security program to regularly perform expert checks, especially on assets or workflows impacting patient safety. This could include verifying infrastructure configurations. Constant monitoring is also a disciplined process, as is the expertise of analyzing threats, to know which alerts are worth the IT lead’s attention and require action, and which not.
Agreeing to an approach of disciplined process on both sides can improve levels of healthcare cybersecurity maturity.
Patient information must flow quickly to attending medical care teams. Similarly, threat and systems information should flow quickly to IT and cyber teams. This can be better accomplished through standardization and automation (where possible). Taking the time to set up the processes well can lead to less wasted time afterwards, leading to timelier protection/response.
Hospitals’ IT leads should work to identify the cyber-physical infrastructure that may impact patient safety in various hospital departments and create a list of priorities. The cybersecurity team can align risk assessments and route service level agreement (SLA) communications accordingly. If an alert reveals ransomware in one part of a hospital’s network, for example, other parts of the hospital can be safely taken offline to prevent spread, if the impact to patient safety has already been analyzed and understood.
Timeliness should also be addressed up front because many cyber-attacks happen during off-hours and holidays. Pre-work in cybersecurity includes knowing who to call and how quickly a call must be returned to protect patient safety (don’t forget a hard copy of phone trees for when the network is down!). Healthcare professionals know all about this from ER, where they often make calls to the appropriate care team specialist.
The shared patient safety priority means timeliness is essential for, and respected by, both teams.
Recent research says that diversity improves performance, and healthcare already acknowledges the necessity for varied disciplines, credentialed specializations, and a diverse population.
To improve cybersecurity in healthcare, a varied set of technical professionals must be tapped cover the wide threat landscape. Again, the mission is patient safety. Leaving it to the IT lead alone misses the opportunity to find something faster, learn something relevant, and to take the right mitigation action at the right time.
The same as in healthcare, there is no substitute for a human in cybersecurity: a human that knows the network, knows the patient, knows the attackers, etc. Ultimately, they must make the difficult decisions to uphold patient safety.
I hope this summary leads both business and medical professionals toward a better understanding about how our two sides of the same coin can unite to achieve the shared mission of protecting patient safety.