By Scott Galbari
Already on the rise for several years, ransomware attacks have sky-rocketed this year, more than doubling in Q3 over the same quarter last year. This, as healthcare CIOs are swamped with the massive IT demands of the pandemic, not to mention preparing to meet the new CMS/ONC interoperability requirements, which take effect in April.
It turns out there is a bit of a silver-lining here in that smart selection and application of advanced interoperability technology can go a long way to meeting all three of these challenges simultaneously. A collective solution would allow CIOs to reduce hacking vulnerability, while making it easier to handle the demands of the pandemic, and to be ready when the information-blocking rule goes into effect.
A War on Three Fronts
As usual, healthcare CIOs are fighting multiple battles at the same time. A perfect storm is brewing in that:
- Hackers continue to target healthcare data
- The pandemic requires healthcare leaders to rapidly deploy new care and testing sites, new virtual care technologies, and meet new reporting requirements
- New interoperability rules call for new data sharing processes and APIs
These challenges exacerbate each other and create new potential openings for hackers. Yet if healthcare organizations resort to locking down systems to prevent ransomware attacks, this makes pandemic response and interoperability rule compliance extremely difficult.
Difficult, but not impossible. And the synergies of these challenges mean there can be synergies in the solutions. Healthcare leaders can protect their organizations from security threats while also improving their ability to respond to the demands of the pandemic and the new interoperability rules by following these three principles:
Get Inside the Mind of a Hacker
A smart tactic to avoid attacks is to put yourself in a hacker’s shoes. Consider the questions a hacker would ask upon sizing up their next cyber security attack. Hackers want to:
- Know what kind of software is being introduced
- Identify any vulnerabilities, unpatched exploits, or new endpoints
- Exploit FHIR
- Find any social engineering exploits to bypass security
- Look for ways to perpetrate identify fraud
Additionally, the new interoperability rules require the deployment of accessible APIs, which means healthcare organizations must find a way to protect these new potential entry points into their IT system.
By thinking like an adversary, it’s possible to recognize and eliminate potential threats of a security breach. Healthcare organizations can identify their weaknesses and develop a cybersecurity plan that will address each identified risk.
Limit Opportunities for Exploitation
Hackers are always on the lookout for weak spots in the healthcare organizations’ IT infrastructure, which usually means entry points into the network. Anywhere an application or a user is connecting into the health system’s infrastructure is a potential vulnerability. The more we can minimize these entry points, the less vulnerable the organization will be.
The pandemic has introduced new entry points for many organizations by requiring new technology like virtual care platforms, as well as alternative care settings and testing sites. The new interoperability rules also have the potential to introduce new entry points by requiring that organizations use FHIR APIs to prevent information blocking. In both cases, the opportunities for data breaches are ample, and the key challenge for healthcare organizations is to meet these requirements while minimizing the number of entry points into the network.
Limiting point-to-point connections by implementing an integration engine is one way organizations are minimizing points of vulnerability within their IT infrastructure. For example, a hospital may have hundreds of systems running throughout its organization, resulting in a complex web pattern.
However, if a central hub is introduced, the multiple connections are reduced in order of magnitude. Hypothetically speaking, let’s say a hospital has 10 systems, which are connected to 10 systems. That’s 100 entry points. However, if 10 systems are connected to one hub, that’s only 10 entry points. Modern integration engines allow organizations to achieve critical goals — like limiting vulnerable integration points — while building in security updates and FHIR support.
Know When to Ask for Help
With security threats continually evolving, it can be challenging for internal IT staff, even with a dedicated CISO, to keep up with the latest threats, vulnerabilities, and defenses. Even if there are dedicated cybersecurity experts on staff, it is worthwhile to consider the help of cybersecurity consultants that have teams keeping up with the latest threats and defenses. Seeking outside counsel to independently review the organization’s data security practices can mean the difference between preventing an attack before it happens or scrambling to react when one does.
These consultants can provide guidance to assess risk, recommend types of security support, and ultimately set the healthcare organization up for long-term success. In addition to cybersecurity experts, interoperability experts can recommend strategies to ensure healthcare organizations can share data as securely and efficiently as possible.
With the pandemic necessitating rapid scaling of technologies and care settings, and the CMS and ONC rules requiring organizations to expand their IT capabilities, the growing exposure to cybersecurity risks is inevitable. But with the right approach and input from outside IT and cybersecurity experts, healthcare organizations can protect their health data while still complying with the interoperability rules and managing the evolving demands of the pandemic.
Scott Galbari serves as Chief Technology Officer at Lyniate.