Unfortunately and tragically, the COVID-19 crisis has demonstrated that our public health and care delivery systems were inadequately prepared for this type of event. Although many front line workers fought, and still are fighting, heroic battles, they often did so lacking proper equipment and resources and without needed support and plans in place. One further area of weakness that has become apparent is the cybersecurity posture of the healthcare industry which, historically, has not been one to lead in this area and now has even been challenged even more.
Traditionally, the focus in healthcare has been on privacy laws and regulations, such as HIPAA, only recently coming to terms with the fact that compliance does not assure protection against sophisticated criminal or nation-state cyber attacks. The ongoing health crisis has made things even more critical as we have deployed new and distributed infrastructure in a hurry, thus offering criminal actors an attractive target. Further, politically motivated entities are seeking to disrupt our public health system or may be looking for valuable intellectual property from organizations participating in clinical studies and research.
While we currently have to prioritize clinical concern and patients’ medical needs, the cybersecurity risk introduced with increased connectivity cannot be ignored. Our industry must begin planning for cybersecurity in a post-pandemic healthcare world, addressing both the need to remediate identified weaknesses in our current ecosystem as well as assure that the security needs of the changed healthcare system evolving from this crisis will be addressed.
It is our thesis that the resulting significant changes in how healthcare operates will require fundamentally rethinking how cybersecurity is implemented.
The general consensus that is forming across healthcare cybersecurity experts is centered around the predicted trends and the leading practices to implement them:
● Steep increase in Telehealth and Telemedicine offering The adoption of remote health services was already well under way but by some estimates, COVID-19 has accelerated this trend by a decade. Lowered regulatory and reimbursement barriers have increased the number of telehealth “house calls” by multiples. Patient expectations, costs pressures, and technology capability will further move more critical services into the patients’ homes to monitor and diagnose diseases and even to deliver certain therapies. The sensitive, critical and voluminous data generated by this highly distributed infrastructure will need to be protected as it moves across home and public networks. This will require a novel and mature approach to cybersecurity to assure protection of patient privacy, reliability of medical processes, and prevent the correlation between medical data and patient identity or location.
