For all that the Covid-19 pandemic has been an exhausting and extensive trial of the U.S. health system, it has also given the sector a once-in-a-generation chance to advance itself beyond all expectations. When faced with the challenges and burdens of a public health emergency, care providers and research organizations embraced innovative solutions, setting the foundation for a more efficient, effective, and convenient era of healthcare.
Consider telehealth as an example. Before 2020, telemedicine was an underappreciated niche bogged down by inconsistent regulatory policies and insufficient infrastructure. But once the pandemic arrived, bringing with it the need for social distancing and remote healthcare, telehealth took off.
“We will never go back to 50 [telehealth] visits a day,” Dr. Paul Testa, the Chief Medical Information Officer at NYU Langone, commented for Healthcare IT News. “That genie’s out of the bottle.”
Testa might be understating matters some. One recent report from Frost & Sullivan estimates that telehealth will grow sevenfold by 2025 at a five-year compound annual growth rate of 38.2 percent. Researchers further project a rapid proliferation of remote patient monitoring tech, healthcare AI, and robotics — all of which stand to have a significant and positive impact on patient outcomes and provider efficiency.
But even periods of overwhelmingly positive growth come with growing pains. Amid healthcare’s recent tech boom, the industry has grappled with new and severe cybersecurity threats.
The number of cyberattacks on healthcare entities spiked after Covid-19 began. In the first six months of 2020, the Department of Health and Human Services reported an almost 50 percent increase in cybersecurity attacks directed at facilities’ network servers, computers, and digital messaging systems. By October, over 500 healthcare organizations had reported a breach of 500 or more patient records.
The numbers are alarming, if not entirely surprising. The healthcare sector has struggled with cybersecurity for years. It has a few unique vulnerabilities, many of which have been exacerbated amid the quick adoption of digital healthcare solutions during the Covid-19 pandemic.
Part of the issue is a lack of standardized security guidelines. As researchers for one 2020 report on the matter explained, “Hospitals and healthcare facilities have not been required in the past to adhere to stringent cyber regulation in the same way that banks, insurance companies and critical facilities have. Many of them rely on old, legacy systems and lack the qualified people power to maintain these and face novel security threats.”
Many organizations also have limited budgets. One estimate recently shared by Healthcare Finance News suggests that health systems only dedicate between four and seven percent of their overall budgets towards cybersecurity. This rate is less than half of what organizations that handle similarly personal data in other fields typically commit.
Even during the best of times, these factors are problematic and lead to security vulnerabilities. But in the pandemic, they have been compounded by the additional strain posed by the fast adoption of new technologies. As researchers for Sonic Guard recently wrote, “The speed of which these technologies were adopted did not allow for proper penetration testing and verification- meaning that the attack surface has been increased multiple times.”
Then, one has to consider the increased potential for human error. During the pandemic, healthcare staff has been stretched thin; many workers have found themselves working long shifts out of necessity. It’s easy to assume that these tired and often stressed employees may be more likely to make IT mistakes than they would in normal circumstances, leaving the proverbial door open to bad actors.
All of these vulnerabilities are significant and, in all likelihood, will continue to pose problems even as Covid fades. The past year has given us a glimpse into what the future of healthcare could look like; we’ve seen increased efficiency, increased convenient remote care, and improved health outcomes. The challenges the pandemic poses are inarguable, yes, but so are the advancements we’ve made.
But if we want to make the most of digitally-supported healthcare solutions, we need to address our new and longstanding security vulnerabilities.
Some organizations have already begun to batten down the hatches against pandemic-sparked intrusions. In November 2020, several Massachusetts hospitals made national news for their quick response to a broad spear-phishing attempt. Hackers had posed as representatives for the Department of Health and Human Services while reaching out to top hospital executives.
In response, the affected hospitals drastically increased security around their email services, developed new protocols around scrubbing external emails, and enhanced their filtering systems. Holyoke Medical Center arguably went the furthest, briefly shutting down its entire email system so its security team could scan for dangerous attachments.
“Now we sequester all attachments, and they have to be checked before we open them,” Holyoke’s CEO, Spiros Hatiras, explained of the efforts. “It’s a bit inconvenient, but it keeps us safe.”
There are, of course, steps that healthcare facilities should take beyond increased vigilance. Given telehealth’s rapid rise as a relied-upon care delivery method, provider organizations will need to invest in hardware and software infrastructure to facilitate digital care without compromising security. Incorporating HIPAA-compliant solutions and making the most of existing security features such as multi-factor authentication is a must. Contracting an IT security expert may help care providers identify, address, and resolve their vulnerabilities.
Beyond the tech itself, healthcare organizations may want to set aside resources to support employee education. To borrow a quote from former FBI supervisor Scott Agenbaum, it’s critical to “think holistically about how to engender a culture of security first that can be constantly reinforced. Education is your first line of defense.”
In the last year, the value that digitally-supported health tools can offer has been proven beyond any doubt. However, if those of us in the health sector want to make full use of the advancement opportunities at hand, we will need to minimize — if not eradicate — our current security vulnerabilities. Security will be critical; now and in the future.