#HIMSS17
Cybersecurity emerging as central topic at HIMSS
February 21, 2017
By Roman Franklin, and Mitali Maheshwari, analysts with MD Buyline
Although health care in general has developed the reputation of being slow to adopt new technologies, cyberattacks and security threats have forced complete adaptation from the marketplace over the past few years. Moreover, industry consolidation and a push for everything digital has created a sort of perfect storm environment for cybercrime.
At the CIO roundtable at HIMSS 17, and in discussions with executives from McKesson and Phillips, we saw significant evidence that the industry is making every effort to acknowledge and develop solutions geared toward protecting hospital security breaches. This includes a substantial increase in quote activity submitted to MD Buyline for security software solutions, hospital inquiries, and an upsurge in education sessions here at HIMSS addressing cyber security and related issues.
Emerging and growing threats surrounding health care information
One key area of vulnerability is associated with the push for free-flowing data. As part of providing a smooth patient experience, health care systems need their patient data to move seamlessly across platforms. An example where this becomes a risk is when the hospitals stream data to private care doctors. The smaller practices do not have near the security coverage that a hospital has, which creates a chasm of exposure for attack. Hospital systems are beginning to host the private care clinics in an effort to shore up the gap in coverage. However, many do not have the bandwidth or expertise to do so. The need for a safe, well-flowing ecosystem of data across many emerging platforms will continue to be a challenge in the current consolidation-heavy health care market.
Another potential lack of security is around cloud-based storage and virtual work platform transitions. In addition, the uptick in mobile device application usage creates more opportunities for infiltration. Along with the rapid rate of digital innovation health care manufacturers are exhibiting, the complexity and creativity of attackers has increased, and will continue to do so. For example: there was a Trojan version of the popular video game app Pokémon Go less than 72 hours after the release, which was downloaded 500,000 times and infected over 6,000 users' phones with malware.
Improvements that need to be made within the health care sector to better protect information
Hospital leadership must evaluate and document current facility information environments to increase awareness. Organizations should create a risk-based decision-making approach, as well as establish more stringent control policies related to provider and employee information access.
Keys to mitigating risk include adopting an attitude of awareness, coupled with a proactive approach that consists of an internal assessment and a strategy based on stakeholder consensus, including taking steps to shore up infrastructure weaknesses, implement internal policies and incorporate a training plan across the organization that promotes buy-in.
Furthermore, vendors and facilities should strive to develop collaborative partnerships. It takes multiple teams, working together, to contain something as evolutionary and complex as cyber-security.
An interesting tactic many hospitals and equipment manufacturers are exploring is engagement with professional “hacker consultant groups.” These groups include individuals, some of whom are former hackers, providing expertise from the perspective of someone looking to infiltrate and attack a hospital’s security system. This is a valuable resource that can shed light on areas of vulnerability that are often overlooked.
Roman Franklin joined MD Buyline in 2016 with more than seven years in health care information technology, capital equipment sourcing, equipment planning, and health care consulting. Prior to MD Buyline, Mr. Franklin worked as a sourcing executive for Novation, and operations manager for a Premier Healthcare subsidiary. He also spent several years as a capital analyst, during which time he assisted hospitals and health care facilities with budgeting, service contract analysis, price negotiation and asset management.
Mitali Maheshwari joined MD Buyline in 2016 with a background in health care information technology. Prior to coming to MD Buyline, she was an Epic Analyst at OCHIN Inc., and an international regulatory affairs associate for Claris Lifesciences Ltd. At MD Buyline, Ms. Maheshwari has responsibility for several technologies, including Electronic Health Records.
Although health care in general has developed the reputation of being slow to adopt new technologies, cyberattacks and security threats have forced complete adaptation from the marketplace over the past few years. Moreover, industry consolidation and a push for everything digital has created a sort of perfect storm environment for cybercrime.
At the CIO roundtable at HIMSS 17, and in discussions with executives from McKesson and Phillips, we saw significant evidence that the industry is making every effort to acknowledge and develop solutions geared toward protecting hospital security breaches. This includes a substantial increase in quote activity submitted to MD Buyline for security software solutions, hospital inquiries, and an upsurge in education sessions here at HIMSS addressing cyber security and related issues.
Emerging and growing threats surrounding health care information
Roman Franklin
Another potential lack of security is around cloud-based storage and virtual work platform transitions. In addition, the uptick in mobile device application usage creates more opportunities for infiltration. Along with the rapid rate of digital innovation health care manufacturers are exhibiting, the complexity and creativity of attackers has increased, and will continue to do so. For example: there was a Trojan version of the popular video game app Pokémon Go less than 72 hours after the release, which was downloaded 500,000 times and infected over 6,000 users' phones with malware.
Improvements that need to be made within the health care sector to better protect information
Hospital leadership must evaluate and document current facility information environments to increase awareness. Organizations should create a risk-based decision-making approach, as well as establish more stringent control policies related to provider and employee information access.
Keys to mitigating risk include adopting an attitude of awareness, coupled with a proactive approach that consists of an internal assessment and a strategy based on stakeholder consensus, including taking steps to shore up infrastructure weaknesses, implement internal policies and incorporate a training plan across the organization that promotes buy-in.
Mitali Maheshwari
An interesting tactic many hospitals and equipment manufacturers are exploring is engagement with professional “hacker consultant groups.” These groups include individuals, some of whom are former hackers, providing expertise from the perspective of someone looking to infiltrate and attack a hospital’s security system. This is a valuable resource that can shed light on areas of vulnerability that are often overlooked.
Roman Franklin joined MD Buyline in 2016 with more than seven years in health care information technology, capital equipment sourcing, equipment planning, and health care consulting. Prior to MD Buyline, Mr. Franklin worked as a sourcing executive for Novation, and operations manager for a Premier Healthcare subsidiary. He also spent several years as a capital analyst, during which time he assisted hospitals and health care facilities with budgeting, service contract analysis, price negotiation and asset management.
Mitali Maheshwari joined MD Buyline in 2016 with a background in health care information technology. Prior to coming to MD Buyline, she was an Epic Analyst at OCHIN Inc., and an international regulatory affairs associate for Claris Lifesciences Ltd. At MD Buyline, Ms. Maheshwari has responsibility for several technologies, including Electronic Health Records.