How Secure Is the Healthcare System?


Cyber-attacks on healthcare organizations are becoming more common as nation-states and financially motivated hackers take advantage of subpar security in legacy systems used by payers and providers. Compounding the problem is the fact that digital transformation programs, including the exponential growth of the Internet of Medical Things, have been designed to facilitate access to healthcare data and interconnect platforms used throughout the Healthcare value chain. Interoperability legislation has been designed with the altruistic intention of giving patients greater access to their information, but the rapid transformation of patient-facing healthcare applications has exacerbated security challenges in the Healthcare industry.

Adequate patient care requires access to reliable data and the ability to share this data across multiple entities, including hospital departments, pharmacies, labs and a host of others on the payer side of the equation. The trend to prioritize the consumer experience for healthcare patients is driving the need to present patient data and other applications via mobile devices.

Securing patient care

Think about a simple visit to get a wellness checkup. Generally, the patient would visit a lab to have bloodwork done, requiring insurance validation. Patient data at that point is flowing between the clinic, the clinic back-office systems, which are located in a data center or on a cloud platform linked to the payer network, and the labs that will actually process the patient specimens. Finally, the results that need to be shared with the doctor are provided to the facility where the doctor works. Centralized electronic healthcare record (EHR) systems are making strides in streamlining parts of this process, but the competitive nature of the U.S. Healthcare industry is driving rapid diverse transformation at the expense of data privacy and security for decades. This opens the door to cyber-attacks.

Hospitals have been a very visible target, as shown by the recent ransomware attack on CommonSpirit Health, the second-largest nonprofit hospital chain in the United States. This attack was especially virulent, impacting over 100 hospitals and their ability to provide safe, timely care for patients. Proving healthcare based on in-depth knowledge of individuals and their unique needs over long-term doctor-patient relationships is a disappearing model. Physicians are exiting private practice in droves, driven by a push to reduce costs and increase profits by reducing the time they spend with patients.

Securing patient safety

Ransomware attacks like the one experienced by CommonSpirit have real-world impacts beyond financial; patient safety is at risk. CommonSpirit has done an admirable job of dealing with the fallout from the attack, leveraging fall-back systems and ensuring the best possible patient care given the limitations of operating without access to critical systems and data for more than a month. Still, the attack demonstrates the need for healthcare providers to up their investments in cyber defense capability.

ISG helps Healthcare enterprises assess their cybersecurity needs and implement defense-in-depth programs and extensive third-party risk management (TPRM) into their cybersecurity portfolio. We also help conduct rigorous incident response exercises that leverage cyber range capabilities. Contact us to find out how we can get started.


About the author

Doug Saylors

Doug Saylors

Doug currently leads the ISG Cybersecurity unit and offers expertise in cybersecurity strategy, large scale transformation projects,  infrastructure, Digital enablement,  relationship management, and service delivery. Clients benefit from Doug's expertise from years of working with global clients within the life sciences, automotive manufacturing, aerospace, banking, insurance, financial services, healthcare, utilities and retail industries, as well as his deep and current knowledge of the service provider market.  Doug routinely performs Strategy and Assessment engagements to assist clients in understanding how to select the optimal organizational and operational models to meet their business needs while minimizing security exposure and risk of loss.

LinkedIn Profile