Chapter 6: Conclusion

This report is a call to arms. Our framing of healthcare cybersecurity as a patient safety issues is by no means new. But it is certainly not the industry standard either, and for the reasons we have seen, it deserves to be. That needs to change, because when envisioning the state of healthcare cybersecurity in five years time without that reframing, the worst case scenario is so striking that it is easy to fall into pessimism. In this world, attackers become so proficient and so prodigious that hospitals include ransomware payments as part of their annual budget. Patients withhold critical information in fear of data breaches and refuse lifesaving medical devices in fear of horror stories they have heard about hackers taking over pacemakers. Old, unpatchable medical devices are used every day, while the few new devices sit in near-mint condition, waiting for security professionals to make sure they won’t introduce yet another vulnerability. Approval takes a long time anyway, because turnover of security workers is high. Experienced healthcare security professionals get so bored going through logs and dealing with compliance issues that they quit in frustration. Few candidates are there to take their place—any job seeker that learns of the healthcare sector’s low pay and arcane regulatory environment quickly flees to greener pastures.

This image is so visceral (and so close to what we hear from so many frustrated healthcare CIOs) that it almost feels real. But we are optimists. With a change in the narrative toward one that emphasises the patient safety dimension supported by the timely implementation of the sort of recommendations we have outlined in this report, we can imagine a much rosier healthcare cybersecurity landscape. Here, healthcare providers big and small, urban and rural, understand their privacy and security concerns and know how to address them. Organizations pool security resources for mutual benefit and advise one another through new information sharing channels. HIPAA is no longer mysterious and fear-inspiring. Rather, providers usually understand what best practices look like, and when they do not, they know where to ask questions.

In this scenario, the old, tan-colored, vulnerability-ridden medical devices have been swapped for top of the line IoT devices, all with the hard-earned FDA cybersecurity Software Development Life Cycle seal of approval. An investment boom has led to a surge of innovation in the sector and cybersecurity is at the forefront, with blockchain-based EHR systems for file integrity, real time network analytics that leverage automated incident response playbooks, and AI for insider threat detection.

Here, cybersecurity workers are no longer isolated from the rest of the organization. They are an integral part of overall strategy and are accountable to the board of directors, who receive regular updates on their work. Recruitment is easier because certification programs and Centers of Academic Excellence have created new talent pipelines. Employees that are hired stay on for longer because they have ample opportunities for growth and automation tools help them avoid the tedious aspects of cybersecurity work.

With the right interventions from the government and the private sector, this second, more optimistic vision can be realized. These interventions are not all easy wins. They involve multiple governmental bodies, several industry organizations, and the sixteen million people working in the healthcare sector today.¹ However, by following the cultural, technological, and workforce recommendations made in this paper, patients five years from now will enjoy better security, better privacy, and therefore better health outcomes.