Editor's Note: This article originally appeared in the Oliver Wyman Forum.
Like many industries, the healthcare sector is doubling down on cybersecurity in a determined effort to build on the explosion of virtual activity – telehealth visits – during the pandemic. Yet providers face special challenges, ranging from safeguarding medical devices to protecting data to meeting patients where they are – even if that means an old smartphone with an outdated operating system.
Providers, regulators, and IT suppliers gathered at the Billington CyberSecurity Summit in early October and discussed the different steps they are taking to meet the challenge. They all agreed on one thing: There’s no turning back the clock.
“I do see more reliance on telehealth because it helps increase the veteran’s experience with the medical service,” Joseph Stenaka, executive director of Information Security Operations and chief privacy officer of the US Department of Veterans Affairs, told Elizabeth Southerlan, a principal in Oliver Wyman’s Health and Life Sciences practice, who moderated a summit panel discussion on enhancing telehealth security and trust. The VA has conducted over 12 million telehealth visits since the pandemic erupted compared with around 300,000 a year previously.
That surge in remote service delivery expands the potential attack surface of an industry already in the crosshairs of ransomware thieves. “The healthcare sector is still maturing in the cybersecurity space in a lot of ways, and so I think it’s somewhat of a softer target than others could be,” said Jessica Wilkerson, senior cyber policy advisor at the US Food and Drug Administration.
The stakes are especially high because of the life-saving nature of the healthcare services provided. An Alabama hospital was sued recently over the death of a baby from brain damage during childbirth, with the mother alleging she wasn’t informed that a ransomware attack had knocked out the facility’s computer systems at the time.
All participants agreed that protecting patients, their data, and devices starts with some basic cyber blocking and tackling. That includes verifying identities through multi-factor authentication and tighter password practices, continuously monitoring networks to know what people and devices are on them, and using technology to identify anomalies that could signal a bad actor. For many providers, that increasingly means the use of cloud-based IT services.
“The days are gone where we’re trying to build a perimeter fence around your environment,” said Jamie Baker, federal health, science and policy senior manager at Amazon Web Services. Instead, he explained, providers should be looking to control access to particular patient files or devices at a very granular level, granting access to specific individuals during precise time periods.
Providers and regulators also need to collaborate closely with vendors to address security issues, such as installing patches on critical software in a timely manner. The FDA works with vendors to ensure the cyber safety of medical devices through bodies like the Healthcare and Public Health Sector Coordinating Council, and providers should tap such organizations to raise their own cyber game. “They have become such hubs of information and best practices and resources,” said Wilkerson.
One of the biggest challenges providers face is the issue of legacy equipment. Telehealth can greatly extend providers’ reach, but many patients may lack the latest laptop, smartphone, or operating system. Providers can’t just cut them off from services. “We don’t want to say your device isn’t secure enough,” said Baker. “So, I think it really boils down to being transparent with them, saying because of the device that you’re on, this might not be the most secure transaction.”
Last but not least, everyone in the sector needs to keep the focus squarely on the patients. The VA has a privacy hotline to answer questions from veterans while the FDA reaches out to patients to better understand their concerns about potential cybersecurity issues and provide reassurance. As Wilkerson put it, “It’s critical that we talk to them and make sure that as all these cybersecurity conversations are happening, it is understood that these devices are life-saving.”