A Healthcare Headache: New Tech Often Means New Cybersecurity Concerns
By Eric Wicklund
Healthcare cybersecurity standards need to be strict for a reason: Compromised technology could lead to a patient’s harm, even death. But when a health system uses technology from a vendor, sometimes those standards aren’t the same.
“That’s a challenge,” says Adam Zoller, chief information security officer at Providence.
“As a large hospital system, we are relying on hundreds of third parties,” he says. “And when some of those devices are 100% vendor-managed, they often won’t modify anything,” making it much harder for the health system to ensure that technology can be used safely and securely.
With the healthcare sector seeing data breaches and ransomware attacks on an almost daily basis, the federal government is making a push to strengthen security standards. The Health and Human Services Department has unveiled a four-stage strategy aimed at compelling healthcare organizations to be more diligent in securing technology and protecting data, building off of a National Cybersecurity Strategy that was unveiled by President Biden almost a year ago.
“Cyber incidents affecting hospitals and health systems have led to extended care disruptions caused by multi-week outages; patient diversion to other facilities; and strain on acute care provisioning and capacity, causing cancelled medical appointments, non-rendered services, and delayed medical procedures (particularly elective procedures),” the HHS report, issued in December 2023, noted. “More importantly, they put patients’ safety at risk and impact local and surrounding communities that depend on the availability of the local emergency department, radiology unit, or cancer center for life-saving care.”
Zoller has nothing but good things to say about the federal government’s efforts to improve cybersecurity, particularly in elevating the responsibilities of the National Institute of Standards and Technology (NIST). And while many vendors in the clinical space are taking steps to better secure their technology, the rapid advance of AI and digital health is prompting health systems and hospitals to partner with companies outside the healthcare industry—companies with different philosophies around security.
“There needs to be more accountability,” he says.
Health systems like Providence spend a lot of time addressing cybersecurity through these devices—even when the vendor isn’t responsive to making changes on their end. Those are time-and labor-intensive projects that a smaller hospital or health system might struggle to accomplish, and which could be avoided if the organization and vendor could just work together.
This is an issue that has plagued healthcare for years. The gradual advance to consumer-facing care and the introduction of consumer-facing technologies and strategies has created a gap between those devices and clinically validated technology. In other words, health systems and hospitals have been looking at the consumer tech space with an eye toward expanding healthcare opportunities, but they’re wary of the value of the data coming from these devices as well as the safeguards in place to protect that data.
“If I’m still having to educate the vendors who produce these devices about security [every time there’s an update}, that’s a real problem,” says Zoller.
Now multiply that by the number of vendors are large hospital system like Providence works with, and the problems become even bigger.
“We are very dependent on those third parties,” Zoller says, “so the biggest challenge for me is in managing third party risk at scale.”
To be clear, this is an industry issue, not just a Providence issue. The American Hospital Association has been advocating for better cybersecurity safeguards for this party vendors for years, and large health systems like Providence are a part of that effort. But Zoller notes his voice is one of many, and while the big guys have the resources to manage multiple third-party partnerships, smaller health systems and hospitals are stretched thin and apt to have more issues.
He says healthcare organizations “are on the receiving end” of more and more technologies that don’t meet clinical cybersecurity standards because the industry is embracing new tools and concepts that have proven themselves in other markets, like retail. What might be a great new platform that boosts clinical care in the home setting might also be a security nightmare.
Zoller wants the federal government to extend its cybersecurity guidelines to vendors in the healthcare space who manage their products on commercial operating systems, to bring them to the table to discuss with healthcare organizations how their technology can better adhere to clinical cybersecurity standards. He says the new HHS cybersecurity guidelines set a good baseline that health systems and hospitals can use when working with vendors.
“We need to look at where the equities are aligned,” he says. “It is great that we’re beginning to see more of these conversations around security … but more needs to be done.”
The introduction of disruptors into the healthcare industry could have an effect as well. Companies like Amazon, Google, Apple and Microsoft are introducing healthcare services and products that aim to give consumers a choice as to where and how they get their healthcare. Given those options, consumers could look for services and platforms that better protect their data.
“The disruptors in this space could see security as a differentiator,” he says. “That could certainly make a difference.”
Eric Wicklund is the associate content manager and senior editor for Innovation, Technology, and Pharma for HealthLeaders.