Health IT, Hospitals, Physicians

Aneesh Chopra: It’s the people problem that remains at the core of cyberattacks

Cybersecurity will continue to be a major issue for providers in the year ahead. According to CareJourney President Aneesh Chopra, the most common factors putting providers at risk are their employees and being unable to track data flow.

Cybersecurity blindspots — including human error and a lack of visibility into data flow — can leave healthcare providers particularly vulnerable to hacking.

That’s according to Aneesh Chopra, president of open data membership service CareJourney, who will be speaking about cybersecurity issues at the virtual Health Datapalooza 2021 conference, Feb. 16 – Feb. 18.

In a phone interview, Chopra shared his overarching concerns about healthcare data security going into 2021. These range from the fragmented nature of the data infrastructure to deficits in security software that can make an organization more vulnerable to attacks.

But for providers, the biggest data security concerns lie in individuals and data visibility, Chopra said. In fact, the no. 1 source of cyber risk for providers is human error, not software malfunction.

“It’s the employee that clicks the errant link,” he said. “It’s the update to the system that is poorly managed. Any number of failures — they tend to be human-led, not technology-enabled. You kind of need two to tango, but of the two it’s the people problem that remains at the core of cyberattacks.”

Further, Chopra believes providers need to move away from cybersecurity compliance checklists. Instead, they should focus on monitoring active traffic to determine if data is leaving their network when it’s not supposed to.

“An interesting question for any CEO might be, ‘how visible is my data flow to me in terms of what is coming into the enterprise and what is leaving the enterprise?'” Chopra said.

Data sharing workarounds, like using thumb drives or other external devices, can obscure healthcare leaders’ view into their organization’s data flow. Data visibility is key for leaders to identify attacks and respond quickly. Rather than building a moat to prevent hackers from getting into their organization’s system, leaders should focus on managing and minimizing the impact of potential data breaches, Chopra said.

Public-private collaboration will be essential for ensuring data security in healthcare. Chopra believes this type of collaboration can help advance industry standardization and determine best practices for cybersecurity. This in turn can help providers take the right steps to secure their data without exceeding their budget.

But support from the government will also be necessary, in the form of regulatory guidance that helps shore up cybersecurity practices and protocols. This includes regulations that require providers and payers to build standards-based application programming interfaces, like the interoperability and information blocking rules that the Department of Health and Human Services will implement in April.

Migrating data sharing into APIs will have the secondary benefit of strengthening cybersecurity, Chopra said.

“I say that because API management is most typically associated with cloud-based software,” he said. “And so, you have all of the potential benefits of a globally scaled cloud platform monitoring your network traffic, which doesn’t place as much of a burden on individual practices.”

Photo: turk_stock_photographer, Getty Images