Cybersecurity and Interoperability: You Can’t Have One Without the Other

The Pandemic’s Perfect Storm

During a national emergency, there will always be those who seek to turn the chaos to their own profitable ends— and the coronavirus pandemic has been no exception. 2020 was the fifth straight year in which reports of hacking incidents increased, with the 2020 number 42% higher than 2019. Hacking incidents made up 62% of patient data breaches, affecting over a million people a month— and there may have been attacks so successful we don’t even know about them yet.

How did this happen? The simple answer is, not enough to go around. With hospital staff stretched to the breaking point, many administrative functions were put on hold or suspended altogether in order to redistribute the work hours to patient care. This switch, while necessary, resulted in too many care facilities not keeping up with their data protection measures, leaving themselves vulnerable to security breaches.

Finding the balance between setting (and sticking to) security protocols while quickly responding to the evolving demands of healthcare organizations is a challenge that IT professionals are struggling to meet— and ironically, one solution they’re calling for is an idea that’s already much talked about in healthcare IT circles: increasing interoperability.

United We Stand, Divided We Fall

According to recent studies, more than three quarters of healthcare workers say that email— the most commonly used communication method between hospitals and care facilities— introduces a high level of cybersecurity risk. Telehealth was a close second at 70%— and we all know how many people have come to rely on telehealth during the pandemic.

Legacy systems— that is, outdated systems no longer supported by their manufacturers— also pose a significant security risk, because a lack of manufacturer support means a lack of patches and updates to protect those systems against new threats. Many organizations continue to use legacy systems because they’re too expensive to upgrade or because an upgrade may not exist. This means those systems also lack the capability to integrate with other technologies— in other words, they lack interoperability.

The Ponemon Institute recently presented findings that show large healthcare organizations use an average of 47 discrete cybersecurity tools across their networks, and the research firm ESG reports that these tools are sourced from an average of 10 different vendors. It’s little surprise, then, that healthcare organizations struggle to get their systems to talk to each other, when even implementing and training employees on their use is such a large task.

What’s more, using so many different tools from different sources creates roadblocks to interoperability that makes all of these tools less efficient than they would be if they worked in concert. Manual threat analysis is no longer a viable response to the pace and skill of cyberattacks, and with different tools comes different information sets that can sometimes contradict each other.

For too many years, cybersecurity companies have treated interoperability as a bug, not a feature— but they can no longer waste time protecting their proprietary threat data, when standardizing that data and sharing it is the key to defending against those threats. Integrating cyber-defense tools to operate alongside other systems will remove the onus from healthcare organizations to understand and enact cybersecurity protocols, and instead let them focus on the life-saving work they do in the field.

How Do We Get There?

The FBI has repeatedly reported that healthcare is the sector most often targeted by cyberattacks. However, their spending on cybersecurity is only reported as 4-8% of their annual budget, compared to 16-20% from the finance sector. Higher risk should lead to higher spending on protection— and with the volume of attacks still increasing, mitigating the healthcare sector’s risk will be a staggering job, one that will take not just bodies on the ground but the right technology, and the tactical strategies to best implement it.

What would that technology look like? Ideally it would look like a standardized list of protocols, processes, and open-source software that can link cybersecurity tools to each other, helping them work in tandem instead of at cross purposes. If tools spoke the same language, they could share threat intelligence, identify and classify threats in real time, and automate responses to those threats. This would not only make it significantly easier for organizations to protect their patients’ data, but it would allow cybersecurity companies to make greater strides in innovating security solutions.

Adopting open standards for cybersecurity and interoperability will take time, and organizations can encourage this by giving the feedback to their cybersecurity providers. By promoting the creation of a more interoperable cybersecurity landscape, companies can take the lead on building a global, sustainable, cybersecurity network. We must work to create a structure that supports the healthcare community as a whole, and speaking up as a unified voice eager for interoperability is the first step toward that support.

Contact HCRS today to learn more about cybersecurity and interoperability.