A New Vision for Healthcare Cybersecurity

Earlier in my career, I attended medical school (although I never graduated, much to my parents’ chagrin). While doing so, I was privileged enough to work at a clinic in Baltimore that served primarily HIV-positive patients. It was a formative experience: I found that patients would often risk their own health outcomes to avoid having their information shared and their diagnosis exposed to the community. Some would miss appointments or skip doses of life-saving medication to avoid having colleagues learn of their illness. A few patients were so concerned about the privacy of their diagnosis that they ceased care entirely—a choice that potentially cost them their lives.

HIV-positive patients are far from the only individuals with sensitive diagnoses. Over the course of their lives, most people will accumulate information in their electronic medical records (EMRs) that they would rather not share with the world.

That’s why, for the last several years, my colleagues and I have worked to advocate for a step change in the way we think about healthcare cybersecurity. This is not a new insight in the field, but it has a special resonance for me. During my time in medical school, I learned that three key factors define the success of a patient safety intervention—and happen to be the exact components of a successful cybersecurity strategy. In seeking to advance healthcare cybersecurity and privacy practices, we can look first to these key elements.

First, technology, broadly speaking, has been a powerful force in patient safety—and as healthcare needs continue to evolve, so, too, does the role of AI and machine learning in predicting and preventing patient safety events. The need for appropriate technological innovation is no different in healthcare cybersecurity, where we need both the basics of good frameworks and the augmentation that comes with transformative technology.

Culture is also a powerful transformational tool—perhaps the most critical of all interventions in patient safety. Whether creating safe harbors for reporting medical errors or developing more robust accountability for hand-washing, it is the challenge of cultural change that defines both the greatest opportunities and challenges in healthcare. Similarly, we have a great need for changing viewpoints, accountability, and entrenched practices in cybersecurity.

Similarly, workforce changes are a potent driver for patient safety improvements. An awareness of patient safety is now embedded in medical curricula across the country;. students have opportunities to engage early, and training in best practices is both freely available and valued by academia. With each new generation of clinicians, there grows more and more recognition of the importance of mitigating preventable errors—and our role in tackling these errors. In addition to fostering that awareness, we must create the pipeline and training that keeps our healthcare cybersecurity workforce strong and at the cutting-edge of challenges it will face.

Thus, one needn’t stretch their imagination to think of good cybersecurity and privacy as a matter of patient safety.It is, in every way, an essential component of reducing preventable, predictable harms—if we muster up the will to do so.

By emphasizing the patient safety dimension of healthcare cybersecurity, we can imagine a much rosier future—one where HIPAA is no longer mysterious and fear-inspiring, where healthcare providers understand and know how to address privacy and security concerns, and where organizations pool security resources for mutual benefit and advise one another through new information sharing channels.

In this scenario, vulnerability-ridden medical devices have been swapped for top-of-the-line IoT devices, and an investment boom has led to a surge of innovation in the sector.

Cybersecurity workers are no longer isolated from the rest of the organization; instead they are an integral part of overall strategy. Recruitment is easier because certification programs and Centers of Academic Excellence have created new talent pipelines, and employees have ample opportunities for growth, as well as automation tools to help them avoid the more tedious aspects of cybersecurity work.

These interventions aren’t all easy wins; they involve multiple governmental bodies, several industry organizations, and the sixteen million people working in the healthcare sector today. However, by orienting healthcare technology, culture, and workforce changes around patient safety, we can achieve better security, better privacy, and better health outcomes.