How unifying departments into one kingdom protects patients and data
By Jonathan Langer
Much like enterprise organizations, hospitals have different departments with their own goals and operating procedures. And like large multi-faceted companies, hospital departments—in this case, the C-suite, biomed, and IT/security—rarely interact directly until necessary. This leaves hospitals with a series of silos that often struggle when priorities are different and overlap exists. In a bizarre twist, there is a rallying cry and a united front when their healthcare institution is threatened by cybercriminals demanding a ransom or trying to steal patient personal information, financial details, or other pertinent data.
While cybersecurity can have a bonding effect, it is an incident that all companies and institutions want to avoid at any cost. As we saw with Universal Health Services (UHS) in September 2020, a ransomware attack on its healthcare institutions in the U.S. caused a severe disruption in patient care. And recent financial statements place the cyberattack as costing UHS a staggering $67 million in damages.
Since healthcare institutions protecting valuable patient data need to be operational 24x7x365, it is now clear that cybersecurity is not a “nice to have” but rather a necessity. This means that all parties must present a unified front across departments– not only when there is an attack but on a constant basis to create a truly secured hospital. To do this, the chasm between the IT/security department, biomed group, and C-suite needs to be bridged and working in sync.
Facilitating a Culture of Collaboration
As HTM professionals, you’re tasked with maintaining a growing number of Internet-connected devices. But this can create issues—particularly from a security perspective. For one thing, many health systems don’t have an accurate device inventory or know the location, status, and security posture of every device on their network.
Moreover, as hospitals go digital, all of these devices are part of the hospital network. And each can act as a vulnerable entry point for a cybercriminal to exploit. These devices are the weakest link and easiest entry point for the three most prevalent attacks on healthcare—ransomware/ malware that can shut down the entire system; data breaches enabling cybercriminals to obtain patient records; and disruption of device functions, which can ultimately result in patient death.
Fortunately, HTM professionals don’t have to tackle this issue alone. Here’s how the C-suite and IT services play critical roles in cybersecurity and why understanding the needs of these different departments is the first step toward unification.
Hospital C-suite: This group largely views cybersecurity from a financial point of view. Costs and budgets are a top concern for every hospital C-suite and demands are made to other departments on how to increase efficiency while cutting costs. Technology and automation are two areas that are often highlighted in helping with this initiative.
The problem comes when the IT/security group needs to implement solutions with a larger upfront cost or without a quick and evident return on investment. These technologies may include cybersecurity options that are seen as more preventive in nature, rather than reactive. As a result, they are not always written into the tight budget that most hospitals operate on. However, when a ransomware attack with demand for payment occurs, it is highly scrutinized, and the IT department is the first to be called to task from the C-suite on why there were no preventative efforts in place.
IT services: Speaking of the IT department, their primary focus is providing the IT/security services that assist the medical staff, as well as the entire institution. Health IT assists with solutions related to electronic health records, networking of devices, server and software solutions, telehealth platforms and, most importantly, the security of the IT/security network.
IT’s role intersects with all the aforementioned areas—leveraging the C-suite to obtain the funds and approval to advance operating systems needed to keep the hospital on the cutting-edge of medical innovation, as well as collaborating with the biomed team to coordinate security procedures across all the equipment they are tasked with maintaining.
The biggest challenge that IT/security faces is the growth of Internet of Things (IoT) devices on the network and the protection of these endpoints. It entails more than just knowing what devices are accessing the networking and communicating across it. Effective analysis of network traffic provides a deeper layer of security and assists in uncovering any anomalies.
Each day, healthcare networks continuously transmit a significant amount of sensitive information, and further, contain endpoints that are connected directly to patients. By having full visibility and deep knowledge of how these devices are performing, IT leaders can then identify threats in advance and mitigate these dangers, as well as minimize the chance of a loss of information or, worse, a direct attack on patient safety.
Overall, with open communication and a clear understanding of the interdependencies between these departments, healthcare institutions can achieve a unified focus and goal to improve patient care while optimizing costs across departments.
Bringing Everyone Together—Without an Emergency
While cooperation between these departments is important, it can only take you so far. Biomed and IT/security groups must have a seat at the C-suite table to be considered for planning and growth discussions. And the C-suite must understand that these departments are critical to a hospital’s smooth operations and not just another line item on the budget.
In the past several years—and especially during the recent pandemic—IT/security and biomed leaders have stepped up to showcase the strategic importance of their departments. This has been achieved in the form of ensuring governance and compliance reporting, creating efficiencies with new platforms—such as telehealth—and collaborating on security and inventory management. Of particular importance, when the C-suite is given clear reports on how the bottom line can be positively impacted– such as savings created on staff time or a rise in the level of patient care—then these groups are given greater consideration and strategic priority.
And, rather than these groups coming together only when there is a cyberattack, this continuous collaboration allows for a healthcare institution to strengthen its overall operations. For example, IT professionals can assist biomed with an inventory or clinical asset optimization platform, enabling them to track the devices on the network.
HTM professionals can then work with IT/security to properly maintain these devices, ensuring patches and updates are made to eliminate risks and security breaches through these IoT systems. IT/security can, in turn, implement networking segmentation and other proactive methods to protect the overall hospital network and detect any issues before they arise. Such efforts will likely result in the C-suite seeing better patient care and improvements in the bottom line—a win-win for all parties.
In conclusion, it should not take a potentially catastrophic cyberattack to break down the silos between the C-suite, biomed, and IT/security departments. Unification is the strategic goal. When these teams work together, hospital operations are strengthened and prioritized. But for this to happen, the C-suite must have clear representation from these department leaders in the strategic planning process, while these individuals need to clearly show their value to the bottom line of the organization.
The good news? Each day, these groups are becoming more attuned to what goals need to be accomplished and, further, the urgent priority to work in closer concert with their industry peers. And as personal healthcare IoT devices gain popularity, these departments must work even closer to ensure that patient data and the network remain secure.
Jonathan Langer is CEO and cofounder of Medigate, bringing nearly two decades of cybersecurity experience to the role. Questions and comments can be directed to 24×7 Magazine chief editor Keri Forsythe-Stephens at [email protected].