AI’s Role in Healthcare Cybersecurity

By Matt Phillion

We’ve seen a boom in virtual services in healthcare over the past few years, and more and more patient data is moving online. Healthcare has always been a popular target for hackers given the value of patient data and the reputational harm that a data breach can cause an organization, and those attacks aren’t slowing down: According to a report by IBM, the cost of a security breach for the healthcare industry has reached $10.1 million, a jump of almost 10% since 2021.

“The pandemic helped accelerate visibility,” says Sanjay Bhakta, vice president and global head of solutions for Centific.

Modernizing healthcare applications and infrastructure has highlighted how challenging it is to safeguard those same elements, and we’re seeing the aftereffects in the results of data breaches, he notes. “We’ve seen a significant uptick, and it is obvious it’s a manifestation of the technologies and process complexities in the industry,” says Bhakta.

To provide things like telehealth services during the pandemic, organizations rapidly adopted and deployed applications. “Unfortunately, while the cause was wonderful—an improved patient experience—this enabled visibility to security vulnerabilities if not properly prioritized and addressed by robust security engineering best practices,” says Bhakta. “[Those best practices] were often secondary rather than primary concerns.”

The industry’s priority, understandably, was saving lives, Bhakta explains. “There was a need to respond due to the pandemic, to quickly roll out telehealth services and apps, ensuring patients can provide data about their vitals: different applications and mobile devices to help provide early indications of how they were feeling,” he says. “However, where bad actors could take advantage of healthcare’s call to humanity—that caused an open door for a lot of bad actors to perform a lot of complex security attacks.”

In addition, the industry’s reliance on aging technologies kept it vulnerable. “Many of these applications or IoT devices are prone to security challenge due to reduced security controls. If you’re working with an older version of a device, it may have an operating system that cannot be modernized, which leaves it susceptible to attack,” says Bhakta.

But even if healthcare didn’t rely on these older technologies, Bhakta notes, some in the industry were not adequately ready to respond to threats. “The pandemic has exposed a lot of these vulnerabilities. Whether you’re on the cloud or not isn’t as much of a deciding factor as how you respond,” he says.

Healthcare is often on the cutting edge of technology regarding patient care, but the industry tends to lag behind in areas like cybersecurity investment, Bhakta explains.

“The investment needs to be there,” he says. “Innovations servicing patients—IoT sensors, using AI for diagnostics—all of these are wonderful and really have a leading-edge aspect to them, but when it comes to [a healthcare organization’s] infrastructure, the investments are not held in a similar priority. The priority for patients should be the same [as the priority] for building a robust infrastructure managing the patient’s information while employing digital safety best practices to secure the organization.”

Where to begin

Any new devices procured should be mitigated for risk. While new devices and applications are great for patient care, introducing them without proper security controls can create risks that contribute to new attacks, notes Bhakta.

“I believe healthcare organizations recognize” this problem, he says. “This is lifesaving equipment. But also, while saving lives, that patient information is being stored on databases, and when that information doesn’t have adequate control,” it is at greater risk of exposure.

Bhakta says that a zero-trust methodology, multifactor authentication, strict identity and access management controls, spam and phishing prevention, and strict privilege management controls are key to removing risk to patient data. “Many types of risks and vulnerabilities could be controlled by only a select few staff members having access,” Bhakta says. “But there’s a trade-off [to] introducing very tight, stringent controls.”

He uses the emergency department as an example. They need to access data quickly on the fly, and limiting that access can slow processes down in an environment that requires rapid response. “There’s a balancing act between how much is too much control,” says Bhakta.

He says that healthcare needs a sophisticated, complex approach to assessing risk for their security posture for new and old applications and devices alike to identify vulnerabilities. Breach and attack simulation tools can provide a rapid assessment of the digital environment, but these tools are insufficient without other components such as a zero-trust methodology, adoption of National Institute of Standards and Technology security frameworks, and more.

“These types of attacks require constant testing: not once a quarter or even once a week, but 365/7/24 with these types of tools,” says Bhakta. “That moves you from reactive to proactive.”

Cybercrime is expected to cost more than $10 trillion annually by 2025, and the attacks are going to get even more sophisticated.

AI’s role as attacker and useful tool

AI-powered tools like ChatGPT are enabling bad actors to spoof emails more effectively than ever, says Bhakta. You might receive an email about an unpaid amount from your last office visit, a spoofed message from your insurance company—and AI has evolved to the point where those emails are much more believable.

“But [AI] can also be viewed as highly valuable in the healthcare industry,” says Bhakta. “You’re accelerating the ability to do research, cross-compare billing codes, to help those who have to respond to a lot of inquiries [by giving them] powerful tools to help them focus on delivering a higher level of care.”

Like other technologies rising to the forefront, using these technologies comes with the implied requirement of also protecting patient data.

Protecting patient data

“When we talk about being stewards of patient information, everyone is a steward in the entire ecosystem,” says Bhakta. “Whether it’s the payer, the provider, even the pharmacy, everyone has a responsibility to safeguard patient information.”

A provider’s place in the ecosystem determines their approach to safeguarding information, though. “Providers should know the ramifications and implications of having relaxed security controls and rules,” says Bhakta. “When they know what that looks like and can see examples, that’s where awareness and education [come] into play.”

The framework of “people, process, and technology” is also where protecting patient data must start, says Bhakta.

The elements in that framework “are still a bit arcane,” he says. “Where do additional pillars like risk, data, and safety relate to people, process, and technology? But when you start introducing these additional three pillars, the value is measurable not just from a cost perspective but in terms of patient outcomes. When you apply these pillars, you’re saying we’re not ignoring technology but focusing on how to improve the patient experience and outcomes through innovation.”

It’s a process with two steps working in tandem: the technology to provide better patient care, and the security to keep patient data safe while using that technology. “The people who are delivering this wonderful care are completely emancipated and very adequately informed about every decision they make and the impact it has on patients,” Bhakta says.

Matt Phillion is a freelance writer covering healthcare, cybersecurity, and more. He can be reached at matthew.phillion@gmail.com.