A senior security executive with a major academic health system has told Congress that in addition to attacks by random attackers, healthcare organizations are facing new threats which are changing the health security landscape.
Erik Decker, chief security and privacy officer with the University of Chicago Medicine, testified on behalf of the Association for Executives in Healthcare Information Security in mid-June. He made his comments in support of the reauthorization of the Pandemic and All-Hazards Preparedness Act, whose purpose is to improve the U.S. public health and medical preparedness for emergencies.
In his testimony, Decker laid out how the nature of provider and public health preparedness has changed as digital health technology has become the backbone of the industry.
He described how healthcare information use has evolved, explaining to legislators how the digitization of healthcare has created a “hyper-connected” environment in which systems such as EHRs, revenue cycle platforms, imaging and ERP software are linked to specialty applications, the cloud and connected medical devices.
He also told them about the increasing need for healthcare organizations to share data smoothly, and the impact this has had on the healthcare data infrastructure. “There is increasing reliance on these data being available, and confidential, to support these nuanced clinical workflows,” he said. “With the adoption of this technology, the technical ecosystem has exploded in complexity.”
While the emergence of these complex digital health offers many advantages, it has led to a growth in the number and type of cybersecurity problems providers face, Decker noted. New threats he identified include:
* The development of underground markets and exchanges of sensitive information and services such as Hacking-as-a Service
* The emergence of sophisticated hacking groups deploying ransomware
* New cyberattacks by terrorist organizations
* Efforts by nation states to steal intellectual property to create national economic advantages
This led to the key point of his testimony: “We can no longer think of preparedness relative only to natural disasters or pandemics,” Decker said. “It’s imperative that we acknowledge the criticality of cybersecurity threats levied against the nation’s healthcare system.”
To address such problems, Decker suggests, healthcare organizations will need help from the federal government. For example, he pointed out, HHS efforts made a big difference when it jumped in quickly and worked closely with healthcare leaders responding to WannaCry attacks in mid-2017.
Meanwhile, to encourage the healthcare industry to adopt strong cybersecurity practices, it’s important to offer providers some incentives, including a financial subsidy or safe harbors from enforcement actions, he argued.