- WEDI is calling for increased cybersecurity investments by healthcare organizations to protect health IT infrastructure from the growing interest of cybercriminals.
WEDI, a nonprofit organization focusing on using health IT for health data exchange working with the Department of Health and Human Services (HHS), recently drafted a white paper to inform healthcare insiders of the best ways to avoid security issues at the hands of hackers.
“As the use of health IT becomes more widespread, cybersecurity must be more directly integrated into the fabric of healthcare and ultimately become an organizational asset that is perceived as commonplace and mission-critical as hygiene and patient safety procedures have become to quality care,” the authors stated.
“No matter how high the walls that any one organization is able to erect against cybercriminals,” they continued, “the healthcare industry at large must coalesce as a united front to more collectively address how to implement a universal culture of cyberdefense and train a more resilient workforce to mitigate threats.”
The WEDI white paper outlines health IT vulnerabilities cybercriminals frequently exploit in health data breaches to inform stakeholders how to minimize their risk.
To mitigate these issues, a roundtable of stakeholders discussed topics from November 15 to April 2016 and identified best practices to reduce instances of cybersecurity breaches through raising awareness regarding risk and costs associated with cybersecurity among stakeholders, building a business case for cybersecurity, developing frameworks and roadmaps to protect healthcare organizations moving forward, and applying knowledge gained through similar issues in other industries to the healthcare industry.
“As health data becomes more liquid and less easily controlled in mobile and cloud environments, security vulnerabilities and attack surfaces are expected to increase exponentially,” authors wrote.
The white paper also outlines types of threat adversaries, types of vulnerabilities and attacks, and best practices for mitigating potential problems.
Potential threat adversaries include opportunistic hackers, insider threats, and hacktivists, while types of attacks include viruses, ransomware, and RAM scrapers.
While recent improvements in health data exchange allow for benefits including smoother transitions of care and easier transfer of patient health records between providers, the wealth of patient information available online presents a host of risks organizations may not be prepared to deal with efficiently.
With so much innovation and electronic data sharing happening every day, industry-wide data security standardization is rapidly becoming a necessity.
“In the current environment, organizations need a common set of best practices and standards for data to be safely and securely shared,” authors wrote. “On the one hand, the decentralization of care delivery and the growing liquidity of health data between different settings are redefining the arena that must be protected with more robust, end‐to‐end solutions. Organizations must expand beyond control of how data is received, used and stored internally to also address how data is managed externally across different endpoints and devices. On the other hand, frameworks must also provide cost‐effective measures for organizations to adopt at scale.”
As health data exchange escalates, the stakes get higher for healthcare organizations trusted with large swaths of patient data.
“Ultimately, if cybersecurity practices are to be as commonplace and routine as handwashing and hygiene in healthcare, it is likely that processes will need to be incorporated into a common checklist for teams to rigorously follow,” authors noted.
The WEDI white paper also highlighted the importance of developing flexible frameworks and practices adaptable to emerging threats. While EHR and application programming interface (API) innovation in the healthcare industry has had a largely positive impact on patient care and convenience, protocols and safeguards need to be updated alongside developing technologies to stay ahead of potential threats to security and patient information.
Through mitigating risks and enforcing standardized security best practices, stakeholders hope to preserve valuable patient data as the healthcare industry makes the full transition from paper to electronic patient health records.