Health care is undergoing a digital revolution, driven by the need to increase efficiency, embrace digital technology and improve patient care.
Yet the current pace, scale and complexity of technology adoption is putting health care providers at a significant risk of unwanted cyber intrusions. This, of course, has implications for their patients.
Health Care Digitization: $24 Billion and Growing
From a market perspective, health care is still comparatively new to digitalization; the vast majority of its related large-scale investments and legislation have occurred in the last decade.
According to data compiled by IHS, approximately $24 billion was spent last year on software and services in frontline clinical and administrative health care, with that number expected to escalate to more than $39 billion in the next five years.
The breathtaking pace and scope of technological change in the industry has left many health care companies overwhelmed, as they weigh the escalating cost of investment against the legislative penalties for non-compliance.
Consequently, cyber-security strategies are often overlooked or neglected, resulting in some health networks having a significant exposure to threats and a limited ability to detect or resist attacks.
Nowhere has this lack of resilience been more public than in the US market, where a recent string of network breaches exposed millions of patient records last year.
Consolidation of Mis-Matched IT Systems
The way in which the health care industry adopts IT is rapidly changing and multiplying its cyber risks. Legislative reform has driven a raft of hospital mergers and acquisitions, creating huge networks composed of hundreds of hospitals and clinics connected by common enterprise systems.
This consolidation has opened doors to new business models, such as those using the cloud, which accounted for around 10% of the revenue from software and services last year. It has also created disparate approaches to IT adoption, potentially resulting in each new group of hospitals having unique IT architectures, networks and specialist needs.
As an industry, the health care sector poses unique challenges and opportunities to companies offering cyber-security solutions. The diversity and volume of users can be a fundamental barrier to the implementation and enforcement of data-security solutions.
Not only do multiple site-workers require access to patient information across a spectrum of health facilities ‒ such as local clinics, physician offices, hospitals, laboratories and pharmacies ‒ but the information also needs to be made readily available to a complex network of administrative and insurance stakeholders.
Add to this companies’ efforts to reduce communications costs by encouraging employees to bring their own devices, and it’s easy to see why network-wide data protection and security training is extremely challenging.
Regulation of Patient Data
In this complex environment, the way in which patient data is electronically managed is constantly evolving, driven by regulation, innovation and demand for a wider adoption of mobile technology for use outside of hospitals.
Efforts to move preventative care outside of the hospital environment has given rise to services such as remote monitoring and video consultation. The use of personal health monitoring devices and smartphone apps are also on the rise. These trends are stretching the boundaries of cyber-security protection, while creating new, often insecure, entry points for hackers.
An increasingly complex regulatory environment has also served to distract health providers from the emerging cyber threat.
Unlike other industries, the digitalization of health care is bound to regulation, changing data standards and moving targets for adoption of new rules which, if not met, can carry severe financial penalties. Consequentially, health care providers can be drawn to systems and solutions that meet regulations ‒ and therefore offer the greatest return on investment – rather than internal data-protection requirements.
Health care data are highly sensitive ‒ at least on par with personal banking and financial information – a fact that is driving intensive debate on the use and ownership of patient information.
From the patient perspective (especially in light of the hundreds of recent data breaches in the health care sector) access to, and security and ownership of, digital health records have become the priorities. For providers, the challenge is to economically secure patient access, while protecting that confidential information from unauthorized third parties.
(The use of anonymous patient data for clinical research and commercial gain will also continue to grow, fueling the debate about the ethical and legal use of patient information).
Cyber Security Education
All told, health care is a daunting market for cyber-security providers. The good news is that the sector’s anticipated growth is expected to ensure a strong demand for solutions.
Part of the risk-mitigation process will be educating and raising the awareness of health care providers to cyber threats, especially with regard to the issues associated with the adoption of cloud technology.
It is not as simple as warning workers off the cloud or restricting access to it. Cyber solutions simultaneously must provide operational efficiency, commercial benefits and data security, integrating lifecycle costs with regulatory compliance.
In this complex environment, data organization will need to be more compartmentalized. As networks grow and access points to the data storage terminals expand, providers will need to implement layers of cyber security. Each layer will require independent security protocols ‒ yet adhere to common standards and regulation ‒ while concurrently guaranteeing access for patients.
What to Expect
Above all, the health care industry can expect the use of digital technology to continue to proliferate across multiple channels. The convergence of personal health and consumer technology will create an “internet of medical things,” if you will, requiring local, regional and national threat-prevention strategies. Even life-saving medical implants, such as pacemakers, will need to be protected from unwanted cyber intrusions.
The threat is real and growing in tandem with the pace of industry digitalization. Yet cyber security currently remains too low on the priority list for health care providers, legislators and professionals, lagging far behind the robust pace of adoption of digital networks.
This disconnect is putting the multitrillion-dollar sector at risk of even more significant cyber-attacks. The industry’s commitment to building cyber-defences may rise when the present drive for IT infrastructure implementation subsides.
But will that be too late? Given what’s at stake – patient health, individual privacy, and corporate reputations and profits ‒ the health care industry would be well advised not to wait too long to find out.