The hyrbid healthcare security imperative

The hybrid healthcare security imperative: Getting the risk-reward ratio right

Windows 11 logo

Unlike a few years ago, when you hear the word “hybrid” the first thing you think of might not be a car. The hybrid definition of in-person and remote activities applies to a wide range of newly minted arrangements across industries and aspects of life — whether it’s your workplace, your school, or your healthcare.

We’re all aware of the rocket-like trajectory of telehealth in response to the COVID pandemic. Virtual connections between patient and provider became the anchor for hybrid healthcare and evolved quickly to include more than just video chats.

Today, hybrid care includes traditional clinic visits and hospital stays, plus an array of technologies and devices that enable remote monitoring and the exchange of clinical information from those who receive care to those who deliver it.

Therein lies the good, the bad, and the ugly.

Virtual healthcare security: The good

Virtual care is now recognized for its many benefits to patients, providers, and health organizations — convenience, efficiency, and better outcomes among them. Hybrid is the right response at the right time to meet consumers’ health expectations and deliver experiences that promote patient satisfaction and retention. Healthcare systems adapted impressively fast to crisis needs during the pandemic and continue to refine and expand their hybrid offerings.

Virtual healthcare security: The bad

But from an IT standpoint, the plethora of in-home devices in various states of vulnerability — sending data over unsecured networks into carefully protected clinical environments — can be a nightmare.

Mount Sinai South Nassau’s Information Security Officer and AVP of IT Security, Christopher Frenz, highlights this challenge. “One of the huge security impacts for virtual care to consider,” he says, “is that with the adoption of telehealth — in particular, remote patient monitoring — you’re seeing more and more medical and other types of devices being put in patients’ homes.”

Frenz acknowledges the rewards, but also recognizes the risks.

“While there are definite clinical benefits to doing this, we have to keep in mind [that] this greatly increases the attack surface for hospitals,” he says. The worry is real for hospital environments.

Frenz adds, “You suddenly have not just the traditional firewalled-off model, where everything’s internal to the hospital. You now have all kinds of devices sitting on all kinds of potentially insecure networks that are communicating back to the hospital.”

Virtual healthcare security: The ugly

Cybercrime continues to rise. And healthcare is the most targeted industry in the world1 — because it’s an easy target, especially now. Breaches are extremely lucrative for hackers (the value of patient data is sky-high) and devastatingly expensive for healthcare organizations (average: $9.2 million per incident).2

On the flip side, many healthcare organizations skip steps they could take to reduce vulnerability, including upgrading legacy systems, adopting multifactor authentication (MFA), and gaining visibility into their complete device inventory. And 40% of organizations miss the chance to pull together a unified security strategy by hiring a dedicated chief information security officer.3

Frenz emphasizes the importance of software updates. “We already see that as a challenge for medical devices within hospitals, where a lot of devices become legacy devices [and are] much harder to protect.

“Within the internal hospital network, at least it’s easy to put compensating controls in place. We can do things like network activity monitoring, DNS sync, network segmentation,” he says.

“But if we have a legacy device sitting on an unsecured network in a patient’s home, what are the compensating controls we can put around that? That’s one of the things, as a CISO, I would think about,” he says.

The healthcare technology security journey

Patient experience extends to every part of the healthcare journey, and organizations looking to enhance it need to take a close look at security. Patient care includes caring for their privacy and peace of mind.

According to an Arlington Research and Kaspersky survey, more than half of global telehealth providers experienced cases where patients refused a virtual visit because they did not trust the technology or had privacy or data concerns.4

In the same survey, 81% of providers expressed uncertainty about how patient data will be used and shared from their virtual sessions.4 They were also concerned about the possibility of personal penalties if data were to be leaked. Neither patients nor providers should have to worry about device and data security.

The secure way forward

Frenz strongly recommends including security in any device purchase conversation. “Enhanced security should be a primary consideration when purchasing devices,” he says. “It’s increasingly important for CISOs, and hospitals in general, to vote with their wallet when acquiring devices like this. There should be a security assessment as part of the purchasing process.”

Here are three more steps organizations can take to build a stronger cybersecurity foundation.

  • Elevate cybersecurity to an enterprise-wide risk management issue with a designated strategic leader and ongoing security management practices
  • Instill a culture of cybersecurity as a key component of patient care alongside patient safety and patient experience initiatives — and support it with provider, staff, and even patient training
  • Balance the risks and rewards by investing in technology like patient portals and provider access systems that are both secure and frictionless