Much of the focus on cybersecurity revolves around hospitals and what they could have done to prevent an attack. But what about EHR vendors? How do they play a part in keeping systems secure?
In a recent phone interview, Justin Armstrong, security analyst at Meditech, discussed the company’s focus on awareness, culture and the future of healthcare cybersecurity.
This exchange has been lightly edited.
Why is healthcare largely behind other organizations when it comes to cybersecurity?
This obviously really bothers me to see, but there’s a number of reasons why healthcare security is behind.
One of the things is that there’s always been an emphasis on patients and patient care. First and foremost, the biggest challenge is that patients come first. And that’s a good thing.
A Deep-dive Into Specialty Pharma
A specialty drug is a class of prescription medications used to treat complex, chronic or rare medical conditions. Although this classification was originally intended to define the treatment of rare, also termed “orphan” diseases, affecting fewer than 200,000 people in the US, more recently, specialty drugs have emerged as the cornerstone of treatment for chronic and complex diseases such as cancer, autoimmune conditions, diabetes, hepatitis C, and HIV/AIDS.
Another area is complexity. With modern healthcare, we have all these medical devices. Most hospitals won’t just have one electronic health system — they’ve all got to be integrated together. When you look at how big a hospital is, that complexity makes it difficult.
Cyberattacks seem to have already gotten worse this year, with the dawn of WannaCry and Petya. Has Meditech amped up its cybersecurity efforts in response to these incidents?
Even though we’re not a security consultant company, we have been doing a lot to get security efforts out to our customers. We see that larger hospitals are doing quite a bit to improve. A lot of the small and mid-sized hospitals are what worries me the most.
I’m a member of a number of different groups, including InfraGuard. We have a monthly meeting and hear a lot about cyberattacks. I’ve been encouraging many of our customers to join. Through that group, there’s also a Cyber Health Working Group. We have conversations back and forth. It’s an exciting time to be in information security, but also a little scary to see what’s going on.
Internally, we’ve done a lot to improve security. We locked down on our use of file shares. With our web product, obviously security was a top of mind concern. A lot of effort was put into that to make sure the infrastructure was sound and we were following best practices.
How does Meditech work to create a culture around cybersecurity?
A lot of our developers are very security conscious. They know about vulnerabilities.
To spread it internally, we’ve done a lot of efforts. I have an internal newsletter that I send around. We started sending out bimonthly postings that talk about phishing emails and common tactics that are used today. Keeping people aware of it on a regular basis is key.
Say one of your clients experienced a data breach. How does Meditech help? What does your disaster recovery plan look like?
A lot of people don’t realize how much Meditech goes above and beyond to support its customers. With the recent WannaCry issue, that required a lot of patching of Windows systems. Sometimes patching doesn’t go smoothly, and as we encounter issues our staff is there to assist. After it hit in the U.K., our staff was extremely busy night and day with assisting customers.
We’ll have regular calls with [our clients] to ensure we’re there when things come up. We’ve been there to help them see what their hardware requirements are for particular systems.
It’s been said that people are the weakest link, and many cyberattacks occur because of individuals’ mistakes. How is Meditech ensuring that its employees — and its clients’ employees — are well-informed of cyberthreats?
Awareness is a big part of it. We’ve done a lot to not only make people aware of that, but our internal systems do a lot to filter [threats] out.
You’d think being in this business would make me really cynical about people. But when you look at these cases, the majority of people are good. There are just a few bad apples, so to speak, that ruin it. Someone that has total access to your network can do the most damage. Don’t just think the threats are going to be from the outside. There could be a malicious insider or someone that does something accidentally.
For a few years, multiple organizations have issued calls to action regarding cybersecurity. But what will it really take for the healthcare industry to step up to the plate and work to prevent cyberthreats?
I’m a big believer in information sharing. There are information sharing organizations that vendors and hospitals are able to join and share their experiences.
In a recent Cybersecurity Task Force report, they talked about developing the cybersecurity workforce in healthcare. Even if you can’t bring in somebody who’s already an expert, you can train them on security and they start to think about it differently.
There’s no quick fix or magic bullet. You need to continually think about it and work toward improving your environment.
Photo: mattjeacock, Getty Images
