Healthcare information safety has been a rising concern for CIOs for the final yr or so, as hackers are more and more focusing on well being data. Now, with a worldwide pandemic forcing a shift to telemedicine and distant work, and new guidelines from the ONC and CMS introducing extra regulatory burden, healthcare CIOs have extra to handle than ever. Happily, it’s doable to roll out new capabilities whereas concurrently bettering cybersecurity by following these three guidelines:
Rule 1: Suppose Like an Attacker
The coronavirus pandemic has pressured healthcare suppliers in all places to roll out new capabilities, processes, and workflows, akin to telemedicine techniques and new affected person check-in procedures. These measures are being taken along with the required work being achieved to adjust to the brand new mandates from ONC and CMS relating to affected person information accessibility. Although these adjustments must be carried out rapidly, it’s essential to comply with cybersecurity finest practices to keep away from offering new openings for attackers.
When a hacker sees new techniques and processes being carried out, they’re interested by:
– What software program is being launched? Are there recognized vulnerabilities or regularly unpatched exploits related to it?
– How are new endpoints being added and are they safe?
– For the reason that new ONC and CMS guidelines require publicly uncovered FHIR APIs, how can these be attacked? Are there social engineering exploits that may present a manner round safety?
– Are there methods to perpetrate identification fraud if a affected person doesn’t must be bodily current to obtain healthcare?
This strategy ought to result in a cybersecurity plan that places measures in place for every recognized threat. By pondering just like the adversary, it’s doable to establish and lock down the doable assault vectors.
Rule 2: Decrease the Assault Floor
Each manner into a company’s community must be secured, monitored, and maintained. One of the simplest ways to make this course of as environment friendly and fool-proof as doable is to attenuate the variety of methods into the community.
That is particularly troublesome in mild of the ONC and CMS guidelines, which require that scientific techniques should share information via publicly accessible FHIR APIs. At first, this looks as if a mandate to radically broaden the group’s assault floor. Certainly, that is exactly what occurs if the simple strategy of exposing each scientific system via public APIs is adopted.
A special strategy, which gives the identical capabilities and compliance with the principles, can be to route all API visitors via a central hub. Attaching all of the scientific techniques to a single level of API entry gives an a variety of benefits:
– Most significantly, compliance is achieved whereas minimizing the brand new assault vectors.
– All visitors between scientific techniques and the surface world might be monitored from a single place.
– The API hub can act as a façade that makes legacy techniques compliant with the brand new guidelines, even when these techniques lack native FHIR API capabilities.
The API hub needn’t be an costly new part of the community structure. Most healthcare organizations are already utilizing a scientific integration engine to maneuver HL7, XML, and DICOM visitors amongst their inside techniques. The identical expertise can function an API hub. That is particularly efficient if a brand new occasion of the combination engine is positioned in an remoted a part of the community with out full entry to different techniques.
Rule 3: Have an Skilled Assessment the Defenses
Even for healthcare organizations with cybersecurity consultants on employees, it may be worthwhile to herald a cybersecurity guide to cross-check new implementations. Novel threats are continually shifting and rising, making it almost inconceivable for inside IT employees to maintain up with the looming threats of ransomware hacks, whereas additionally adequately finishing up the day-to-day tasks of their jobs. For that purpose, it is sensible to herald knowledgeable who focuses solely on safety. It’s also typically helpful to have an unbiased overview from somebody who’s wanting on the implementation from an outsider’s perspective. Unbiased consultants can present the required steerage, threat assessments, and different safety assist, to set healthcare organizations up for achievement and function extra securely.
Increasing a company’s IT capabilities typically means extra publicity to threat, particularly when implementations are topic to time constraints. Nevertheless, given the worth and significance of the information that’s being generated, transmitted, and saved, it’s crucial to not let cybersecurity fall out of focus. By following finest practices round design, implementation, and testing healthcare organizations can rise to satisfy the present challenges of the pandemic, tackle the mandates of the interoperability guidelines, and concurrently enhance information safety measures.
About Scott Galbari, Chief Know-how Officer
As Chief Know-how Officer for Lyniate, Scott leads the event and supply of all services. Scott has been within the healthcare IT area for the previous twenty years and has expertise in creating and delivering imaging, workflow, nursing, interoperability, and affected person circulation options to prospects in all geographies. He was most lately the Common Supervisor for a number of companies inside McKesson and Change Healthcare and began his profession as a software program developer.
About Drew Ivan, Chief Product & Technique Officer
Drew’s focus is on tips on how to operationalize and productize integration applied sciences, patterns, and finest practices. His expertise consists of over 20 years in well being IT, working with a large spectrum of consumers, together with public HIEs, IDNs, payers, life sciences firms, and software program distributors, with the purpose of bettering outcomes and lowering prices by aggregating and analyzing scientific, claims, and price information.