‘The health care industry is a target-rich environment for hackers’
ENGLEWOOD, Colo. – As home health care organizations increasingly become aware of their vulnerability to cybersecurity risks, Brian Wells, director of health care strategy at Merlin International, offered his expert opinion on the unique challenges faced by the health care space.
HHTN: What are some of the cybersecurity challenges facing the home health care industry?
Wells: The health care industry is a target-rich environment for hackers and others. Attacks can come in the form of ransomware that makes data and systems unavailable to the end users and forces a switch back to paper-based processes, which drastically reduce nurse, physician and staff productivity, and may impact patient safety and quality of care. Far too often the health system’s only option is to pay the ransom so that automated care processes can return to normal. Another form of attack relates to stealing data, which can result in patient or employee identity theft, theft of services and the filing of false claims. These data breaches can come from an external source or result from the theft of a physical data storage device, and they result in remediation costs and reputational harm
HHTN: How are cybersecurity challenges different in home health care?
Wells: I actually think that home health care security challenges are much worse. With the rapid growth of digital technologies like wearables, smartphones, artificial intelligence and the Internet of Things that are connected wirelessly to the Internet, the number of attack vectors is increasing exponentially. Many of these devices are not connected to hospitals or doctors’ offices. However, with the shift in health care reimbursement from fee-for-service to fee-for-value, health care providers will be incentivized to ensure that patients are compliant with care protocols and will want to have much closer and ongoing contact with the patients for which they are responsible. This will increase the demand for connecting these devices into the provider’s electronic medical records systems, creating a much larger attack base. For example, a wireless scale in a patient’s home might be used as an entry point into the provider’s network.
HHTN: What do health systems need to address to be safe from cybersecurity attacks?
Wells: First and foremost, health systems need to constantly maintain a real-time inventory of all of the devices that are connected to their networks because it provides an accurate and up-to-the minute universe of endpoints that need to be managed. The endpoints can then be categorized and assigned to the appropriate automated management processes to ensure the devices are compliant with the required prevention and detection software or segmented into a higher security portion of the network. Secondly, all end users—including patients and family members—need to be educated and regularly reminded about the risks of IT security non-compliance. End users need to be vigilant with password usage, device sharing, physical device security and usage to protect the organization and, ultimately, themselves. Lastly, all data and information systems need to be regularly managed, backed up and made as resilient as possible. It should be assumed an attack or breach will occur and the information systems teams, as well as clinical and business groups, need to know how to respond, recover and return to normal operations as quickly and safely as possible.