The latest affront to cybersecurity in the healthcare space is an investigation conducted by ProPublica discovering that medical images and health data belonging to over 5 million Americans have been sitting on 187 servers across the nation that are unprotected by passwords or basic security precautions and accessible to anyone with internet access and "basic computer expertise."
It made for shocking headlines, and steps have been taken to rectify the situation. However, most people will no doubt soon forget it, just like the 551 active cybersecurity breach investigations currently listed on the Department of Health and Human Services website. The ProPublica investigation noted that incidents have affected over 40 million individuals in the U.S. over the just past 24 months.
Cybersecurity failures involving what should be sacrosanct health information have become so frequent and common that we are collectively desensitized.
There's even a now-standard response usually involving many apologies and promises to do better, followed by a brief witch hunt and the purchase of some supposedly improved technology or security system. Then it's back to business as usual. Like popular consumer security systems for the home, we collect the greatest new gadgets, install them and play with them for a few days. Then we quickly decide they're too much of a hassle to activate all the time or maintain, and we forget about them — until porch pirates attack and we decide it's time to buy the latest upgrade.
The same thing happens in healthcare cybersecurity. We buy lots of software and technology and then hope for amazing miracles to ensue so we don't have to worry about it anymore.
But that's not how cybersecurity works. Technology will not fix this problem.
Tension
Ever since we began digitizing our world, there's been a dynamic and unavoidable tension between easily using and reasonably protecting what we value. You've always needed some sort of physical item or device and/or code or password to use privileged technology, be it an employee ID badge, username and login or biometric scan. The fundamental idea is to provide automated convenience to the user while still protecting assets from unauthorized access. However, as we use more technology, we encounter more security mechanisms that cause friction.
It was no trouble to memorize a four-digit personal identification number (PIN) to access our bank accounts when ATMs first began popping up conveniently in neighborhoods across the globe. But it’s considerably more laborious to memorize 12-digit mixed-character and mixed-case PINs to access your house, car, workplace, phone, laptop and every app you use — oh, and then change them every 90 days.
All technology comes with an "access versus authorization mechanism" trade-off. As technology evolves, that tension evolves along with it. We have smartphones with password generators, virtual keychains, digital wallets and single sign-on systems, but are our assets any more secure?
Truth
The truth is that technology cannot provide the whole cybersecurity solution. Health organizations can, and do, spend millions of dollars on equipment and software, and it still won't make them cybersecure. All the AI and quantum cryptography we can dream of cannot solve cybersecurity. There is no "set it and forget it" option.
People change, and so do their tools, and different circumstances require different mechanisms for maintaining a balance between usability and security. No one wants private medical data and images floating around on open-access servers hooked up to the internet. Moreover, no emergency room nurse should have to enter a 12-digit password into some keypad before starting an IV on a patient who is bleeding out. What lies between those extremes is often ambiguous.
Tactics
Simply acknowledging that there is no such thing as being completely cybersecure and that technology is complicated does nothing to fix what is a pretty poor state of affairs. So how do we achieve better cybersecurity, particularly in the literal life-or-death field of healthcare?
Oddly, the Central Intelligence Agency's fascinating compendium of "cognitive psychology literature concerning how people process information to make judgments on incomplete and ambiguous information" provides some helpful guidance in this area.
"Of the diverse problems that impede accurate intelligence analysis, those inherent in human mental processes are surely among the most important and most difficult to deal with," author Richards J. Heuer Jr. wrote. "Training is needed to (a) increase self-awareness concerning generic problems in how people perceive and make analytical judgment ... and (b) provide guidance and practice in overcoming these problems."
What works for superspies could work for healthcare security. I believe a similar strategy can be applied to cybersecurity within organizations through:
• Training: Continual education and reinforcement should be provided for everyone who uses the systems, not just for those in IT and not just right after a breach or when new technology is introduced. The idea is to increase everyday security awareness individually to strengthen security posture organizationally.
• Perception and analytical judgment: Maintaining cybersecurity involves a continual learning process, revisiting what we identify as harmless or dismiss as too burdensome as well as what we perceive as threats, and prioritizing how to best mitigate risk while preserving operation. It requires encouraging everyone to think about how they use their tools.
• Guidance: Leadership must lead. Cybersecurity starts with the CEO, who needs to regularly ask more questions and learn to ask the right ones. Instead of accepting assurances or lists of the latest safety tools and technologies deployed within the organization, the first question should be along the lines of, "What can we be doing better?"
• Practice: Consistency in reporting and communicating about security posture is critical, as is maintaining simplicity and clarity. Most importantly, cybersecurity practice is reflected in budgeting for appropriate time and resources.
It should be noted that all these tactics center on actual human effort. We can't just keep throwing technology at cybersecurity or pretending that it's a technology issue. Cybersecurity is about people.
