Issue link: https://beckershealthcare.uberflip.com/i/1506185
20 EXECUTIVE BRIEFING EXECUTIVE BRIEFING 1 SPONSORED BY Cybersecurity in Distributed Care: The C-Suite's Guide to Balancing Increased Patient Access & Heightened Risk C ybersecurity has become a top-of-mind issue for the healthcare C-suite. Distributed care delivery models — which bring care to patients virtually or physically, outside of traditional care facilities — are complicating the cyber landscape. While this care model can greatly improve patients' access to care, it also creates a larger attack surface for cybercriminals to target and increases an organization's cybersecurity risks. The good news is that IT security best practices, when properly employed, can help mitigate this added risk by reducing system complexity and eliminating inefficiencies, enabling a more consistent, secure and reliable digital experience for clinical and nonclinical staff. Becker's Hospital Review recently spoke with two cybersecurity experts from Palo Alto Networks — Tony Douglas, regional vice president, U.S. Enterprise Healthcare, and Lee Gardner, healthcare security architect — about the importance of employing cybersecurity best practices in distributed care models and key points that healthcare leaders need to know. Distributed Care Expands Patient Access, but Also the Attack Surface The COVID-19 pandemic prompted the healthcare sector to experiment with different approaches to care, using various technologies to connect clinicians and patients. Hospitals and health systems confirmed it's possible to deliver effective care in non-traditional ways. "As organizations deploy technology to support neighborhood clinics or hospital-at-home initiatives, they must ensure that cybersecurity is a top priority," Mr. Douglas said. "If we don't get in front of this, it will increase risk for the industry as a whole." When care moves outside of a healthcare facility, this means the security perimeter moves closer to patients. If patients interact with an online coach or engage with a remote pop-up clinic, for example, cybercriminals may listen in on communications. Security is also a concern when transferring data to a central health system or storing it locally. "Patients trust that healthcare organizations will safeguard their personal information," Mr. Gardner said. "A primary mission for healthcare systems and providers is to do no harm. If a health system fails to protect a patient's data, that can do irreparable emotional and financial damage. As you extend care into the community, you need the right cybersecurity controls in place to protect individuals' information." To Stay Ahead of Cybersecurity Challenges, IT Needs a Strategic, Top-down Approach Traditionally, cybersecurity has been pushed from the bottom up in organizations. However, in today's world, IT and network security must also be pushed from the top down. IT leaders need a prominent seat at the table whenever the C-suite is making decisions, whether it's a cloud transformation initiative, a change to the EHR or deploying network-connected medical devices. "This ensures that organizations enforce IT security best practices at the time that decisions are made," Mr. Douglas said. "They can address any potential risks or vulnerabilities early on. It's essential that this occurs, given the growing number of cybersecurity breaches in healthcare." Cybersecurity must be integrated into every area of the organization, including biomedical science, research labs, clinics and nonclinical areas. At the same time, cybersecurity measures need to be aligned with the organization's overall business objectives. Healthcare IT and business teams should actively collaborate to provide a secure, well-connected and consistent digital experience for patients and providers. That can only happen if security is front of mind and fully integrated into programs. "Cybersecurity needs to be part of every project that's implemented," Mr. Gardner said. "Education and awareness must be pushed from the top down so that everyone understands that cybersecurity is their responsibility. If you can prevent even one cyber incident from happening through good education and communication, that's a win." Standards-Based Frameworks Should Guide a Platform-based Approach To continuously assess their IT risk, hospitals and health systems need to adopt a standard security framework. For example, organizations may decide to use the NIST Cybersecurity Framework (CSF) or HITRUST as the basis for measuring risk and evaluating adherence to IT security best practices across the entire technology landscape. "By using a framework, you can identify trends over time and see where the organization is making progress and where more attention is needed," Mr. Douglas said. These frameworks also help facilitate communication about cybersecurity. They enable IT practitioners to explain programs and risks to senior executives in a consistent way, using terms that are understandable. "At the end of the day, awareness is