What you should know beyond the breach: A call for action and innovation in healthcare cyber

ICYMI, check out our LinkedIn Live on how recent cyberattacks could drive congressional change in healthcare cybersecurity

Healthcare organizations struggle with cybersecurity because their data is very valuable, because cybercriminals are persistent, and because the tools and methods hackers use keep advancing. Yet, lack of resources, limited budget, and complex technical and interoperability challenges present a barrier to making cybersecurity advancements – especially for under-resourced hospitals. IT teams are working hard, but bolstering security and outpacing cybercriminals is becoming a cyber inequity issue, posing a threat to patient safety and public health.

At Imprivata, we recognize that addressing cybersecurity in healthcare is a multifaceted challenge. On August 15, Imprivata hosted a LinkedIn Live, Beyond the Breach: A Call for Action and Innovation in Healthcare Cyber, which explored the role of healthcare organizations, policymakers, and software vendors like us in improving the state of cybersecurity in healthcare.

ICYMI, here are some highlights from the discussion between Imprivata CEO, Fran Rosch and Dr. Sean Kelly, MD , Chief Medical Officer and SVP of Customer Strategy, Healthcare, at Imprivata, as well as a practicing ER doctor at Beth Israel Hospital.

Beyond the breach

One of the most alarming cybersecurity incidents in recent history was the February 2024 cyberattack on UnitedHealth-owned Change Healthcare. This attack not only disrupted services but may have exposed the data of as many as one-third of Americans, according to UnitedHealth CEO Andrew Witty’s testimony to a Congressional committee on May 1, 2024.

The Change Healthcare breach highlighted a critical issue: it was a central failure point for numerous healthcare providers' payment systems, lacking necessary redundancies. Many providers, unable to implement recovery and backup systems due to budget and resource constraints, accepted this risk. However, the financial damages from the breach surpassed the costs of establishing such backups. Additionally, the breach was attributed to the absence of multifactor authentication (MFA) on an essential system.

“How many other breaches have been driven by third parties that have potential legitimate access, and how many are driven by a lack of MFA, when it’s a basic, simple security technology to deploy?” said Fran Rosch. “We have to remember the basics as well as the more sophisticated tech.”

The ramifications of the Change Healthcare breach had a significant impact on care providers and patients – particularly as many had to shut all systems down and pause payments processes to remediate the breach.

“Our hospitals run on small margins if not negative margins anyhow, and then suddenly you’re faced with that thought as the CIO...to say we’re going to shut it all down and not be able to submit claims,” said Dr. Sean Kelly. “So that patient who’s waiting for a heart transplant we don’t know if we can get it paid for, we don’t know how to bill for it.”

From there, it comes down to identifying the cause of the breach as quickly as possible and mitigating any damage or risks, though that can be a challenge due to the complexity and interconnected nature of healthcare’s digital environment. There were many factors that contributed to the Change Healthcare breach and its fallout, underscoring the need for vendors, healthcare organizations, and regulators to do better.

Healthcare’s call to action?

The Change Healthcare event and other recent cyberattacks have sparked national discussions about the need for robust cybersecurity standards in healthcare. Groups like CHIME and the Health Sector Coordinating Council (HSCC), along with industry advocates like Dr. Sean Kelly, argue for minimum cybersecurity standards that not only address the unique needs of healthcare organizations, but also offer incentives for compliance.

Healthcare providers with less resources to invest in cyber and the communities they serve are at heightened risk of attacks, making financial incentives especially key for hospitals that struggle with IT funding. Furthermore, when care processes are derailed at hospitals in rural or remote areas, it creates medical deserts that pose a significant risk to patient safety. For instance, it may take a patient in critical condition hours to get the care they need if they are diverted to a facility in another town.

Dr. Sean Kelly explained that it’s critical these disparities are considered when discussing any potential legislative mandates for cybersecurity.

“Certain basic things like two-factor authentication should be in place,” he said. “But a mandate that says you have to put all these things in without any funding behind it is really unrealistic for a lot of healthcare systems.”

The challenge of implementing cybersecurity measures

Fran Rosch and Dr. Kelly also discussed the challenges that mandated cybersecurity legislation poses to the sector, while reflecting on the lasting implications of the 2009 Meaningful Use initiative. To implement effective legislation, policymakers need to create a realistic program that avoids placing a greater burden on already overwhelmed healthcare organizations.?

“There’s a budget and funding concern, but also a workflow concern,” explained Dr. Kelly. “These aren’t systems you can just lock down and make completely safe but unusable… When I’m in the ER and a patient comes in Code Stroke, I have to get into that system. And if I’m locked out because I can’t remember a password and I tried to reset it and now I can’t get in, I can’t do anything [for that patient].”

Developing effective cybersecurity measures for healthcare is a complex undertaking for many reasons. Shared device ecosystems and the need for rapid access to information mean that security measures can’t be allowed to impede clinical workflows. Effective cybersecurity solutions must simultaneously offer robust security, ease of use, and efficient workflows, so they do not become onerous for providers.

Moving forward: Realistic goals

Legislative change takes time, but the threat landscape urges healthcare organizations to take steps to improve cybersecurity now. So, what can organizations do in the meantime to enhance their cybersecurity posture even with limited resources?

Cybersecurity should certainly protect all access points, but Fran Rosch pointed out the importance of making third-party vendor access a focus of any good cybersecurity strategy. “I think we as security professionals tend to build our security for that 95 or 98% [of employee users]. Because that's the vast majority. But those are actually the people we trust most. And that 2 or 5% of vendors with temporary access, whether it's temporary work or someone coming in to repair piece of machinery or provide an ongoing service – they’re a small part of the population, but maybe the riskiest because you don't know them.”

Dr. Kelly expressed optimism in the fact that there are solutions that actually have the full range of capabilities that healthcare organizations need. “You should not be forced to choose between privacy, compliance, and security on the one hand, and usability, efficiency, and productivity on the other. That’s a broken paradigm. Any good technology, any good solution, should actually allow for more of both.”

The cybersecurity challenges facing the healthcare sector are significant but not insurmountable. With coordinated efforts and a focus on realistic, incentivized compliance standards, healthcare organizations can strengthen defenses and continue to provide safe, efficient care to patients across the nation.

?“I think the core point is we need to stay ahead of the curve a little bit and understand that we have a workforce in medicine that is more burned out than ever, right? It's not an easy job. And I gotta tell you, the hardest part isn't seeing a cancer patient or fixing a trauma patient, but rather, all the stuff around it, from compliance to filling his documentation, working on for two hours after a shift because I'm clicking through to make sure we get our billing points right, “ said Dr. Kelly. “But certain solutions and technologies get rid of some of that pain and make that friction go away, while also making it more secure. And that's the kind of magic you get when you can deliver good consumer grade software into the enterprise.”

Tune in to learn more

Check out the recording of our LinkedIn Live for an in-depth look at these issues, plus actionable advice you can apply to protect your own organization.