As the frequency and cost of cyberattacks on healthcare organizations continue to grow, hospital and health system leaders are making improved data security a top priority.
During an October Becker's Hospital Review webinar sponsored by MediQuant, four data security experts discussed strategies that organizations can use to better protect their data while identifying cost-saving opportunities. Panelists were:
- Michael Archuleta, chief information officer, HIPAA & information security officer, Mt. San Rafael Hospital (Trinidad, Colo.)
- Ray Lowe, senior vice president, chief information officer, AltaMed Health Services (Los Angeles)
- Kel Pults, chief clinical officer, VP of government strategy, MediQuant
- Yoemy Waller, chief information officer, Lake Health District Hospital (Lakeview, Ore.)
Three key insights were:
- Spotting high-risk systems and reinforcing IT infrastructure are keys to thwarting cyberthreats. Frequent, increasingly sophisticated cyberattacks are exposing healthcare organizations to data breaches and also to care interruptions, compliance issues and financial penalties.
High-risk systems include those that use parameter-based security protocols, such as VPNs, firewalls and encryptions. Lake Health is replacing those protocols with zero-trust network authorization architecture, Ms. Waller said.
Hackable medical devices, such as pacemakers and oximeters, are another type of high-risk system that Lake Health is reinforcing by creating a secure pipeline underneath them. - Organizations need to adopt advanced measures for handling cyberattacks. One of those measures, which AltaMed has implemented, is using AI-powered software that informs users about the severity of an attack in real time. "It's given us really good visibility, so we are able to isolate and handle attacks in a much nimbler way," Mr. Lowe said.
Other measures include multi-factor authentication and role-based security protocols that specify who should be able to access which data (also known as privileged access management).
- Decommissioning obsolete data infrastructure is an essential strategic step in strengthening data security. Legacy applications and hardware are especially vulnerable to data breaches. Decommissioning them as better products become available can drastically reduce the likelihood of a cyberattack.
"When you consolidate all of your legacy systems into one archive, you're shutting down a lot of access points for somebody on the outside to get in. By reducing the footprint, you're reducing the security risk," Ms. Pults said. She explained that decommissioning programs also signals an organization's shift from managing individual project risk to adopting a more holistic governance plan.
Mr. Lowe highlighted the need for proactive leadership in carrying out decommissioning initiatives: "IT leaders need to help business colleagues understand how [modern or updated] applications can save the organization money and what is the cost of a breach."
All of these strategies and measures are urgently needed because, as Mr. Archuleta observed, "Unfortunately, the healthcare industry is one of the most antiquated industries out there. You'd think we would be leading the pack when it comes to digital transformation and innovation because we're doing the most important thing out there — dealing with human lives."