Addressing Cybersecurity Risks in the Healthcare Industry

Updated on December 13, 2019

All industries must recognize the importance of cybersecurity to operational technology, as it’s the hardware and software that monitors, controls, and alters physical systems. As information and operational technologies continue to converge, however, security risks increase. While the manufacturing, infrastructure, utilities, energy, and transportation industries can vigorously address security risks through securing industrial networks, the healthcare industry has some additional, specific concerns. 

Things like thermostats, lighting, elevators, and HVAC systems are getting “smarter” by the day. Even medical devices like pacemakers and insulin pumps can be vulnerable to hacking. Healthcare organizations that employ smart technology to run buildings efficiently or manage biomedical devices must address cybersecurity risks that could compromise operations, threaten privacy, and endanger patients. 

Patient Privacy

Information security breaches that compromise patient privacy have been a serious concern, and healthcare organizations must do all they can to address this issue. However, it isn’t just stored patient information that’s at risk: medical devices have become more “networked”, and thus, vulnerable to attack. The FDA recognized the problem, and in 2016, they issued FDA 2015-D-5105-0001; it’s a non-binding recommendation for postmarket management of cybersecurity in medical devices.

Invisibility

As healthcare organizations employ more smart technology to manage physical devices, the CIO’s role must expand to include an understanding of threats against operations. Beyond computer hardware, cybersecurity concerns now extend to areas of physical plant management that may previously have been invisible. Security for new building systems and infrastructure is as important as it is in medical information management.

Policies and Standards

Policies and standards that work to select information systems and managing medical records might not make sense for dealing with threats to operational technology. A healthcare facility can’t simply shut off the lights overnight to apply an update or a patch. Facilities must put plans in place to address a threat to, or a breach of, physical systems. They can achieve this by segmenting systems appropriately to minimize the scope of threats and examining whether devices or systems need to interact with the Internet to perform optimally. Also, make compliance with cybersecurity standards and a protocol for applying patches and updates—without compromising vital systems that must run continuously—a factor when considering vendors.

Personnel

Addressing risks to operational technology requires a continuously changing skillset. Healthcare organizations need to plan to acquire the talent necessary to bring cybersecurity into the operational sphere. Fortunately, universities and government agencies now recommend that graduate engineering students must take cybersecurity courses to graduate. The operational technology security field will continue to grow, and healthcare organizations must get in front of the trend and work to attract developing talent in the field.

All organizations with complex operational systems and networked devices must contemplate and address cybersecurity risks as the Internet’s role in business operations expands.

The Editorial Team at Healthcare Business Today is made up of skilled healthcare writers and experts, led by our managing editor, Daniel Casciato, who has over 25 years of experience in healthcare writing. Since 1998, we have produced compelling and informative content for numerous publications, establishing ourselves as a trusted resource for health and wellness information. We offer readers access to fresh health, medicine, science, and technology developments and the latest in patient news, emphasizing how these developments affect our lives.