Healthcare
Cybersecurity: An imperative for modern healthcare safety
Bristling with technological aids and tech-assisted procedures, modern-day healthcare is far removed from 19th century hospitals with nurses in peaked caps and genteel doctors rolling up their sleeves. The price, perhaps, that the industry is paying for being technology-driven is the vulnerability it presents to cyber criminals.
As a sector, healthcare today is an increasing repository of petabytes of data - patient Electronic Health Records (EHRs), data about treatment modalities, multimodal, longitudinal data from years, even decades of clinical notes, lab reports, procedures, clinical trials and more.
How resilient is this sector to cyberattacks? Turns out, not so much.
- The February 2024 attack on Change Healthcare, the largest US billing and payment system led to massive disruptions in processing millions of patients’ prescriptions and services and ended delaying access to medication and care to them.
- The 2021 attack on Ireland’s Department of Health and Health Executive led to the data theft of 100,000+ patients, affecting 80 per cent of the health infrastructure in that country
- The 2017 WannaCry attack on the NHS in England disrupted a third of their hospital trusts and cancelled close to 7000 appointments.
As these publicly available instances highlight, cybersecurity attacks can not just compromise healthcare infrastructure, but also affect patient safety. In fact, it would not be an understatement to say that cyberattacks are one of the foremost threats to effective modern-day healthcare. The use of new digital technologies, increased digital connectivity and network dependencies in healthcare mean that healthcare providers, insurers (who store massive amounts of data), life sciences companies, drug developers and others, who form the massive healthcare ecosystem, are particularly vulnerable to newer and more sophisticated attacks.
Cybersecurity in healthcare, therefore, is an imperative today. However, it is not getting the due importance in planning and implementation of safeguards.
Primarily, the sector still lags behind in understanding the risks it confronts. Without risk evaluation, the downstream activities of risk management and mitigation, and of healthcare data protection, cannot be undertaken effectively. The 2023 Healthcare Information and Management Systems Society (HIMSS) survey reports that US healthcare organisations allocate 7 per cent of their budgets to cybersecurity, in contrast to an average spend of 11-12 per cent in other sectors. Expert cybersecurity workforce already being scarce, the sector cannot hope to attract the best talent with scarce funding. The Lancet Global Health recently outlined how such risks are particularly high in middle- and low-income countries.
Some of the key challenges outlined by the HIMSS Cybersecurity report include:
- Difficulty in attracting and retaining talented cybersecurity workforce
- Constraints in budgeting for cybersecurity
- Increasing incidence of phishing and ransomware attacks
- Rising adoption of artificial intelligence (AI), including formulating acceptable use policy for GenAI and concerns with GenAI.
There is increasing awareness of the work to be done. In their 2024 Annual Meeting in Davos, leaders gathered at the Cyber Insecurity, Analysed workshop and agreed on three key priorities for the sector:
- Educating boards and leadership on the importance of cyber resilience
- Building relationships and communities between organisations to secure the ecosystem; and,
- Developing an industry playbook that includes shared practices amongst the different stakeholders.
What does this translate to on the ground? Just what kinds of ‘roll your sleeves and get it done’ work are we talking about? First, given the interconnected nature of the healthcare sector, building cyber resilience into the DNA of the sector is not the job of a lone healthcare provider or even a regional system. It will take the collective will of the entire ecosystem and its leaders to build it in.
Some of the concrete measures called for include:
- Educating and building awareness among healthcare leaders about the vital role of cybersecurity in the future of the sector
- Generating data-backed insights, thought leadership narratives (including countering disinformation) and tools to secure patient and clinical data, networks and digital healthcare infrastructure
- Embedding cybersecurity watch into observation of trends so appropriate responses and proactive measures can be undertaken in digital transformation journeys.
With increasing embedding of AI in medical devices, and emerging technologies such as quantum computing, security standards such as post-quantum cryptography standards to be announced by the US National Institute of Standards and Technology (NIST) become critical. The cybersecurity supply chain - knowing the provenance of software components - and its consequent risk management are equally important. The NIST Cybersecurity Framework 2.0 (CSF 2.0) highlights the importance of governance as a core function that can make or break any healthcare organisation’s cybersecurity program.
The awareness is being built. Much work has started, much more is left to be done!
How can Infosys BPM help?
Infosys BPM Healthcare services combine our strong domain expertise in healthcare, flexible operating model and integrated IT-BPM solutions to address the changing dynamics of the global healthcare industry. Our BPM in healthcare solutions are designed to transform operating models, improve business performance and standardise processes with reduced costs.