Healthcare technology has evolved significantly in recent years. For example, electronic health record systems, clinical information systems, patient portals, and electronic billing systems are commonplace today. New solutions using machine learning and artificial intelligence are transforming the way we diagnose and treat disease. Telemedicine networks connect patients with doctors and specialists across the country, and nanomedicine has the potential to revolutionize the treatment of cancer, diabetes and many other diseases.
Just like the digital technologies that preceded them, these new technologies bring new security risks that organizations must address to protect patients and their data. The authors of HIPAA predicted these risks two decades ago, leading to the implementation of the HIPAA Security Rule. The Security Rule continues to provide the security framework that healthcare providers and their business partners must adhere to when implementing and operating systems that create, receive, maintain, or transmit electronic protected health information (ePHI). However, simply requiring a third party to sign a business associate agreement promising to comply with the requirements of the HIPAA Security Rule is no longer sufficient to manage the associated risk of adopting current and emerging technology solutions.
As the speed and magnitude of positive impact increases with new technologies, so does the potential harm.
The Department of Health and Human Services’ Healthcare Cybersecurity Coordinating Center (HC3) recently issued a threat brief on the security risks of the most promising emerging technologies impacting healthcare. The HHS HC3 list of emerging technologies includes artificial intelligence, 5G cellular networking, nanomedicine, smart hospitals, and quantum computing and cryptography.
We are particularly concerned that the technology’s vulnerability could ultimately lead to loss of life. Unfortunately, all of the technologies listed in the HHS HC3 Threat Brief may fall into this category.
Organizations must prepare for the new wave of technology to avoid security and privacy risks.
Cybersecurity supply chain risks have been a growing concern for healthcare organizations for several years. Specifically, these risks are related to the acquisition, development, maintenance and disposal of IT products and services from external suppliers. The concern is valid because for three consecutive years, the most significant breach affecting the healthcare industry resulted from a breach by a vendor that supports a large number of healthcare organizations.
Healthcare providers typically purchase or license their technology solutions from vendors or share platforms with partners. Historically, vendors licensed software products and purchased the IT hardware necessary to support their use. Today, an organization’s IT portfolio likely also includes software-as-a-service solutions hosted in the cloud and cloud-based infrastructure-as-a-service on which the provider builds its virtual infrastructure, servers, and data storage.
Often, solution providers purchase, license, or subscribe to include software libraries and other components that developers or manufacturers obtain from other third parties. Solutions can also be hosted on hardware or cloud services provided by different providers, using even more third parties. In many cases, vendors receive the Russian doll equivalent of third-party risks when they acquire a complex new technology solution.
Although the technical vulnerabilities that can be exploited will vary depending on the new technology, the higher-level issues are the same.
Cybersecurity supply chain risk management is the process of identifying and mitigating potential risks that may arise from third-party products and services within an organization’s information technology (IT) infrastructure. Given the increasing reliance on IT infrastructure to deliver care, a healthcare organization must also consider the risk to patients, employees and business. The objective is to manage this risk to a level acceptable to the organization.
To understand the risk, the organization needs to know the safeguards implemented by the developer or manufacturer during the design, development, production, implementation and ongoing operation of the technology to protect the confidentiality, integrity and availability of the information being processed, as well as the physical safety of users and others exposed to the technology. It is also essential to find out what components, especially third-party components, the developer or manufacturer has used within the solution, as they also have their own risks. When appropriate, a software specification request is recommended. Depending on the level of risk, including the potential impact, organizations may also consider requiring that the manufacturer produce reports on independent testing of the technology or, even better, be allowed to test it independently. Assume that the provider will receive or store ePHI on behalf of the provider. In this case, the prospective buyer must understand the security program and controls in place to protect the information and decide whether they are sufficient given the potential impact of the breach.
When dealing with information technology, organizations must consider what happens if the information processed by the technology is accessed or disclosed due to human error, negligence or unauthorized access. What if the technology becomes unavailable or the data is corrupted?
Organizations should ask:
- How do we know that data is exposed and can we determine how?
- What if integrity is compromised? How do we know what has changed?
- How will we understand the consequences and how to correct them?
- What if the technology falls? Can we function without it?
- What is the impact, how do we manage until we get it back online, how do we get it back online and how quickly do we need to do it?
- Are people at physical risk from using this technology?
- Do the benefits outweigh the costs?
- What is our obligation to inform about the risk?
When an organization decides to accept risk and implement technology, it must continue to manage that risk on an ongoing basis. Ongoing risk management includes monitoring technology for new threats and vulnerabilities and testing safeguards to ensure they function as intended. Finally, they should regularly analyze the risk to see if it is still within an acceptable range and take appropriate action if it is not.
We often get caught up in the hype surrounding new technology. It’s exciting to think about the possibilities, but every technology comes with risks that we need to understand and manage before they become a reality.
Establishing a strong cybersecurity supply chain risk management program helps organizations develop controls within the acquisition process to measure and manage risk. Implementing a robust vendor risk management program allows organizations to embrace emerging technologies in the future while protecting systems and data in the process.
Photo: roshi11, Getty Images