Managing Risk in Healthcare: Creating a Timely Culture
Putting a low priority on adapting to technology puts organizations at risk of cyberbreaches.
New technologies are opening the doors for improved approaches to risk management. However, these innovations won't have a strong effect on health and safety until they are accepted at the highest levels of the decision-making pyramid and used to their fullest.
Unfortunately, that doesn't always happen.
Let's consider artificial intelligence (AI). It's a technology that benefits all types of industries, including healthcare. For instance, AI is used to deliver improved immunotherapy for cancer treatment by devising individual therapies based on each patient's genetic makeup.
That is just one application. The potential uses in healthcare and risk management are practically endless, especially when AI is paired with machine learning (ML). But there remains a set of problems that prevent us from exploiting its full potential.
Many institutions, including healthcare facilities, use an IT structure that has grown and evolved over time. It often consists of disparate systems, many of which are incompatible and have been patched over repeatedly. It costs money to maintain and upgrade these legacy systems, and IT managers have rarely had an influential voice at the C-Suite table. The changes to infrastructure that allow AI to exist and data to be used and stored securely require money and testing time. These changes must survive a decision-making process that can take weeks or months. Meanwhile, technological change increases in speed and complexity, as does the aggressive momentum of cybercriminals.
Secondly, the human users are seldom given the training required to manage their data systems in a secure fashion. Phishing and spearfishing are classic examples of this. Phishing crimes are still on the rise and they pose enormous risks to a healthcare facility, from data loss to life-threatening conditions. Phishing crimes generally start with emails that carry deceptive payloads: a link or an attached document that purports to be anything from a job application to threat of arrest for non-payment of taxes. Criminals need staffers to click on that link – they are mostly powerless until that happens. And people do click, because they have not been given sufficient training - not in software, but in the very human skills of critical thinking and time management.
The best-known results of phishing scams are data breaches. They have become so commonplace that they seldom attract significant media attention or public outrage. Data is an invisible asset. But in this day and age, data is worth more than money. Healthcare-related data includes everything to do with patients – medical records, home addresses, family members. Everything and anything. And there are always people out there ready to take that data and use it. A too-small-to-be-noticed operation, like a mom-and-pop florist, becomes immediately connected to a hospital’s accounts payable department, which inevitably connects them to data storage or security systems. This is how data stores are infiltrated - exactly the same way biological infections spread through invisible and often unpredictable contact.
Let’s look at something a little more tangible: siegeware.
Cybercriminals always like to focus on soft targets – those with weak or non-existent security measures. In peoples’ homes, this means unsecured routers, drones, or smart doorbell systems. In enterprise, this can mean Building Automation Systems (BAS), such as HVAC, alarm systems, and elevator management. These become entry points for cybercriminals to take ransomware to a higher level by laying siege to the entire building, potentially raising or lowering room temperature to a level dangerous to patient health, or perhaps disabling fire suppression, lighting, power, or emergency management systems. Any of these types of remote attacks might necessitate a full evacuation, bringing an entire hospital to a very difficult and dangerous halt.
Ineffective password management, under-use of two-factor or multifactor authentication, under-use of Virtual Private Networks (VPNs), and poor cyberhygiene in general are direct causes of many of these attacks. According to security company Kaspersky, almost 4 in 10 buildings globally that used smart BAS systems were maliciously attacked in the first six months of 2019.
Like AI and ML, smart technologies offer enormous benefits to healthcare and society at large, but its risk status often goes underappreciated due to a culture that doesn’t fully grasp the speed and reach of technology in this era. The pace of change in enterprise is generally slow and change itself is often difficult to accept. Senior management takes on the role of steering a very large ship, and according to conventional education and management theory, large ships cannot or should not turn quickly.
An article in the New England Journal of Medicine (April 2018) describes risk management in healthcare as comprising “the clinical and administrative systems, processes, and reports employed to detect, monitor, assess, mitigate, and prevent risks.” It identifies eight risk domains that exist under the umbrella of Enterprise Risk Management (ERM) as:
- Clinical & Patient Safety
- Human Capital
- Legal & Regulatory
- Environmental- and Infrastructure-Based Hazards
The issue becomes, who is holding this umbrella? Senior Management must continue to break down intellectual and departmental silos to ensure that awareness and communication exists across the entire culture. Threat actors pose an undeniable health risk, and like other pathogens, they will stop at nothing to find every weakness and entry point.