Prioritizing continuity of care in the face of cyber risks in healthcare

Attending VIVE 2025 or HIMSS25? Please join my speaking sessions and get a copy of our new Zero Trust Hospital books! 

Technological progress continues to reshape patient care, improve operational efficiencies, and redefine the overall healthcare experience. Economic justification for the digital transformation is driving electronic health records (EHRs), telemedicine, mobile health applications, and wearable health technology forward.

Like in all spheres of business, SaaS adoption continues and more applications are now in the cloud. New medical devices are more connected than ever, moving the edge of care into the home and even anywhere where 5G connectivity is available. More innovation is always on the horizon, especially with artificial intelligence.

In turn, the industry is seeing huge troves of sensitive and valuable data ‌being created, processed, sent, and stored online every day. This makes healthcare organizations more attractive targets for cybercriminals, with data breaches becoming more common. They are causing not only financial losses, but also wreaking havoc in patient care, including death. 

Legacy tech slows down digital initiatives

Compounding the challenge are sources of technical debt and security blindspots. Telehealth platforms were quickly implemented during the pandemic to keep care going. Some hospitals and medical centers have had to cut corners with not enough security or regulatory compliance measures in place. Now they’re playing catch-up. And expensive MRI machines are being shipped today that run on 15-year-old operating systems. 

Old software and devices that are connected to digital and web-enabled platforms pose a serious challenge. Many medical devices, such as outdated radiology or laboratory information systems used today that were not given security features when designed, are increasingly connected across digital value chains. Moreover, operational technology, like HVAC and medical gas control systems, can also be connected online. As a result, all of this becomes part of a critical healthcare infrastructure, which can expose and amplify security weaknesses.

Updating healthcare technology can be complicated, ‌costly, or even impossible in cases where a vendor is no longer in business. Without security updates, patches, or up-to-date documentation about maintaining systems, it comes down to cybersecurity tools and good old-fashioned cyber hygiene to help shield environments with legacy devices.

Redefining cyber defense strategies

Given these challenges, how do CIOs, CISOs, and other tech leaders build a risk management and resilience program that puts the patient first? Unlike most other industries, when a ransomware attack knocks out hospital systems, the ramifications can stack up quickly.

Last May, after a ransomware attack, Ascension Health had to resort to manual processes and cope with care delays that led to additional risks. The HIPPA Journal reported:  

Nurses at those hospitals have complained that they have far too many patients to ensure patient safety, with some nurses saying they have had to take on 5-6 patients due to the burden of paper charting and are feeling overwhelmed. There are also fears of medical errors due to the lack of access to electronic medical records. Clinicians are relying on patients to disclose all the medications they are on. A failure to mention one of those medications could have serious health consequences. Nurses have complained that without access to computers they are unable to see the labs that have been ordered and the results, and there are serious concerns about mistakes being made entering patients’ vital medications. Lab work is often required to make quick decisions about patient care. Process that normally take 30 minutes to an hour to process are now taking several hours, delaying decisions that could have serious health consequences for patients.

Technology, automation, and simplification are key, but not everything

The increasing embrace of cloud-based solutions and zero trust architectures within healthcare is a testament to their significance in mitigating risk by reducing the attack surface, limiting lateral movement, and allowing access to apps and data only on a verified per-user, per-session basis. These modern approaches also help support the Cybersecurity Performance Goals (CPGs) issued by the Department of Health and Human Services  (HHS), such as “Separate User and Privileged Accounts,” “Network Segmentation,” and “Asset Inventory.” Yet there is more that can go into a multilayered cybersecurity strategy.

Extend incident response plans into the ongoing education of staff on cybersecurity risks, protocols, and policies. Nurses and doctors are not only often the first line of defense against cyber threats (e.g. social engineering attacks), but by understanding what to do and what not to do in times of a crisis can significantly impact the delivery of care and patient experience.

Cyber leaders should keep teaching staff about phishing, safe browsing habits, how to handle ID badges, and passwords, then partner with other stakeholders in crisis management. Similar to planning for an unplanned power outage, emergency plans should be in place for responding to IT/OT outages that affect important systems like ventilators, medication delivery, imaging, labs, and patient monitoring. These plans should ensure security, continuity, patient experience, and employee experience are all accounted‌ for.

Creating and using a plan to deal with an incident and testing their efficacy with various cyber exercises when possible is important for reducing the blast radius of a cyber attack while maintaining delivery of patient care during unfortunate cyber incidents.

With the right technology and processes, healthcare providers can be well-equipped to stay resilient and respond quickly, all while keeping patient safety at the top of the priority list.

What to read next

How zero trust can help address healthcare’s IoT dilemma
Ignoring the Change Healthcare attack invites a cycle of disaster