Cybersecurity insights

Introduction

On Friday June 2nd, the U.S. Department of Health and Human Services released The Report on Improving Cybersecurity in the Health Care Industry from the past year’s work by the Healthcare Industry Cybersecurity Task Force – a group of 21 experts and stakeholders in healthcare, spanning both the public and private sectors. Imprivata, along with four of our customers, were invited to discuss cybersecurity issues and to create and refine this report. A key finding of this report is that cybersecurity in healthcare is about patient safety, and for that to improve, stakeholders must be involved in ensuring cyber resiliency – not just focusing on privacy. Now, more than ever, the onus is on healthcare organizations to secure their systems, medical devices, and patient data. This new emphasis on resiliency is what will allow healthcare systems to continue to operate and provide care despite increased attacks from threat actors.

I’d like to thank and congratulate my fellow Task Force members on and for the creation of this report. Its existence is evidence not only of the need for healthcare to align on the topic of cybersecurity, but also that we are on our way to building a secure, resilient healthcare sector.

David Ting
Co-founder and CTO, Imprivata

Executive summary

Of all critical infrastructures, the healthcare sector is viewed as being the most targeted by cyber attacks – but also has historically been the least prepared to address them. Part of the problem comes from a lack of guidance and recommendations that are prescriptive in building cyber resiliency. The regulatory requirements in healthcare have primarily focused on ensuring privacy of patient records. The changing landscape of threat actors has changed, as evidenced by the desire of cyber criminals to cash in on patient identity, credit, and medical data.

The Cybersecurity Act of 2015 mandated the creation of a cybersecurity task force that would report on how the nation’s cybersecurity threats in healthcare can be addressed.

The Report on Improving Cybersecurity in the Health Care Industry identified many critical problems in the healthcare industry as it relates to cybersecurity, including:

• Lack of staffing
• Lack of funds
• Frameworks, access, and processes 

It also offers six key imperatives, supported by specific recommendations and action items, that healthcare can follow in order to change behaviors and build cyber resiliency. Those imperatives, reflecting the need for a unified, cross-functional effort, are:

1. Define and streamline leadership, governance, and expectations for health care industry cybersecurity
2. Increase the security and resilience of medical devices and health IT
3. Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities
4. Increase health care industry readiness through improved cybersecurity awareness and education
5. Identify mechanisms to protect R&D efforts and intellectual property from attacks or exposure
6. Improve information sharing of industry threats, risks, and mitigations

The Report on Improving Cybersecurity in the Health Care Industry examines how people, processes, and technology can converge to create a strong, trusted cybersecurity strategy. Technology alone is not enough to combat cyber threats effectively. Imprivata strives to help healthcare organizations succeed by enabling them to act securely and conveniently, and by taking all of those components into consideration:  

• PEOPLE

  Imprivata solutions enhance security because workflows of end users – real people – are taken into consideration. For technology to be adopted, and not just implemented, clinical workflows need to be the basis of deployment.

• PROCESS

  The report calls attention to the NIST cybersecurity framework, as well as other components of technical frameworks. Not only are Imprivata products NIST certified, but they have helped to educate healthcare on exactly what multifactor authentication can, and should, look like in healthcare. The report calls two-factor authentication a must for the healthcare industry – but the workflows surrounding it are also extremely important.

  Recommendation 2.1 of the report focuses on a key piece of building cyber resiliency – securing legacy systems. Many legacy systems such as medical devices and EHR applications have security weaknesses that can contribute to the compromise of networks and systems. Securing medical devices, applications, and access to applications is crucial to a cybersecurity strategy. Imprivata solutions are purpose-built to address securing medical devices, processes, data, and clinical workflows.

  Keeping track of processes – and governing them – requires the ability to report on their success. Imprivata offers reporting for many different workflows and processes. Imprivata reports can audit, show Meaningful Use, and track where, when, and by whom an application is accessed. 

• TECHNOLOGY

  Technology must be built into the people and process components – it cannot stand alone. Imprivata customers succeed because technology is embedded into workflows, not enforced despite them.

  CHRISTUS Health reported that with desktop virtualization and Imprivata OneSign, more than 1400 clinical hours were saved – a savings which also contributed to a total financial savings of more than $1.6 million. The use of virtual desktop infrastructure (VDI) saves time and money, but it can also be used to build and enforce cyber resiliency. VDI improves patching capabilities, the ability to adhere to principles of least privilege, and the ability to centrally manage large numbers of end points.

  With strong, multifactor authentication in place, healthcare systems using Imprivata Confirm ID have been able to secure remote access, medical devices, and transactions such as EPCS.

  Being able to deliver quality care starts with ensuring that the patient is positively identified and authenticated. Imprivata PatientSecure has helped healthcare organizations reduce duplicate medical records and improve patient satisfaction by embedding positive patient identification technology into key workflows, such as registration or radiation oncology.

  It needs to be easy for clinicians to communicate about patient health information – but it also needs to be secure. Imprivata Cortext allows providers across the enterprise to securely connect, collaborate, and communicate with colleagues.

Imprivata solutions represent only a portion of the giant, complicated healthcare cybersecurity puzzle that was discussed in The Report on Improving Cybersecurity in the Health Care Industry, and there’s certainly much left to be done. The report offers guidance in many different areas and for many different stakeholders within the healthcare industry – but one thing is for sure, the healthcare industry needs to start changing its behavior, look to the future, and start building cyber resilience. Now.