The increasingly digital world of telehealth visits, mobile health apps and remote workforces has improved patient access to care but simultaneously increased a healthcare organization’s attack surface. As a result, cybersecurity is a top priority for many organizations. To understand the current state of healthcare identity access management, LexisNexis Risk Solutions commissioned Xtelligent Healthcare Media to conduct a survey of healthcare payers and providers. The goal was to uncover which aspects of identity access management organizations are focusing on in the wake of increased cybersecurity threats.
Learn how cybersecurity threats are constantly evolving and healthcare’s response to these threats along with them to ensure patient and employee safety.
Current state of cybersecurity in healthcare
Cybersecurity is a constantly moving target
Strategies for ensuring security
In 2020, the healthcare industry saw an unprecedented rise in cybersecurity threats. From data breaches to ransomware attacks, the healthcare industry reported 655 incidents last year. The issue is so large it prompted the Cybersecurity and Infrastructure Agency (CISA), the FBI and the National Security Agency (NSA) to issue a warning of a notorious ransomware group responsible for over 400 cyberattacks.
One Illinois-based medical group is facing a lawsuit after a cyberattack exposed 600,000 protected health records. Another Arizona medical center has to rebuild over 35,000 patient records impacted by a recent ransomware attack on its EHR system.
These cybersecurity threats are not only bad press for healthcare organizations but also have impacts on patient outcomes. Locked patient files mean providers cannot access a patient’s medical history to understand the medications and medical history of that patient before delivering care. Some attacks also target medical devices halting their direct use in patient care. In fact, one in four healthcare organizations showed increased patient mortality during ransomware attacks, according to Ponemon research.
The situation has escalated so much it prompted the current administration to announce a National Cybersecurity Initiative.
A major driver behind the growth of cybersecurity threats is an increased attack surface created by the expedited digitization of healthcare. Telehealth, in particular, has grown by 55% among physicians, according to the AMA. New digital offerings create more opportunities for hackers, giving them multiple entrance points into a healthcare organization.
Couple a large attack surface with an increase in remote workforces and healthcare organizations have a large problem to tackle—maintaining a robust cybersecurity framework in a digital world.
To understand the current state of healthcare identity access management, LexisNexis® Risk Solutions commissioned Xtelligent Healthcare Media to conduct a survey of healthcare payers and providers. The goal was to uncover which aspects of identity access management organizations are focusing on in the wake of increased cybersecurity threats.
Fifty-two executives from payer organizations responded, and fifty from provider organizations, including hospitals, health systems and large physician practices. These stakeholders included chief security officers, presidents and chief information officers at each of these organizations.
The survey also included follow-up interviews with select survey respondents who reveal their best practices for effective cybersecurity strategies.
Current state of cybersecurity in healthcare
A quick shift to robust telehealth use meant the healthcare industry needed to adapt its strategies to allow patients access to their health information. Those outside of a healthcare organization needed to access internal systems to complete telehealth visits, log into patient portals, and schedule visits. But this created multiple external access points that healthcare organizations needed to protect.
Currently, providers are using one-time passwords (82%) and phone number verification (54%) as their primary means of authenticating and verifying the identities of patients that are accessing their data.
One health system respondent said 80% of their ambulatory visits transitioned to virtual visits. To protect this sensitive information, the telehealth platform was encrypted.
“The telemedicine platform, the virtual visit platform, any information that’s moving through the ether, that data is encrypted,” explained the health system’s chief information officer and vice president of digital technology. “When a patient logs into the patient portal, that’s a virtual private network. It’s a secure link between the patient and our electronic medical records.”
Payers similarly needed to make the transition to protected external access points such as telehealth platforms. But their strategies are a bit different. They are leaning on email verification (77%), phone number verification (73%), and device authentication (69%) predominately when members are accessing data.
Similar strategies can be used for authenticating and verifying technologies for internal access to systems. Payers and providers are aligned in their internal access management strategies as most payers (71%) and providers (78%) are using device authentication for managing internal access.
“We were getting hit with phishing attacks, and our employees were falling for those. They were giving up their username and password and giving the hackers access,” revealed the chief information officer and vice president of digital technology at a health system.
To combat this, his organization began an aggressive employee cybersecurity education strategy where the biggest goal was to help employees understand the magnitude of the threats.
Some organizations are taking this a step further and automating verification processes for employees. For example, one statebased health insurer authenticates the individual employee based on underlying web scripts.
“Employees are getting authenticated based on what JSP [Java Server Pages] a person is with and that they’re a valid employee. Then they can access that application with a single sign-on process instead of having a local ID,” explained the payer’s director of application development.
Many of these healthcare organizations had remote capabilities but needed to bolster their abilities to support an entirely remote workforce.
“Now, we are looking at a sizable population that may never return onsite. Access control did not need to change. We had already adopted two-factor authentication for all remote access,” the chief information security officer of a health system said. “But shifting from VPN to a cloud-based DRAC access was the main change in our technology footprint.”
Regardless of the specific strategy healthcare organizations are using to manage internal and external access management, there is a pressing need to invest in these infrastructures to support both patient and employee needs.
Cybersecurity is a constantly moving target
The cybersecurity challenges healthcare organizations faced in the last year are not unique. But faster rollout timelines meant cybersecurity was a constantly moving target.
“It’s just keeping us more up at night,” said the senior director of enterprise architecture at a national health plan. “We were always up at night, but now it’s a bit more concerning for sure. We’ve seen a trend, whether it’s our employees accessing data or members accessing data. There’s an expectation all the data will be available online.”
Meeting these expectations can be a challenge as there are multiple strategies to manage internal and external access. Yet most healthcare organizations are confident in their current strategy to prevent unauthorized access to patient information. All provider organizations surveyed are somewhat or very confident in their strategies, and 97% of payers report the same.
The drive to prioritize cybersecurity stems from multiple sources. For providers, this includes increased attacks or threats (66%), having experienced a significant breach (58%) and investment in digital offerings to patients (56%). Providers have either experienced an attack firsthand or fear joining their peers in the headlines highlighting weekly ransomware attacks.
At payer organizations, the motivation to invest in cybersecurity also stems from increased attacks or threats (56%). But compliance and regulatory guidelines (44%), increased budget (42%) and investment in digital offerings to members (42%) are also driving forces for these organizations.
Despite confidence and clear priorities, organizations are still increasing their IT and information security budget for 2022 either moderately or substantially at provider (80%) and payer (75%) organizations because cybersecurity and preparedness are not one-time investments.
“Cybersecurity is an ongoing battle, and it will continue to be challenging and daunting. We must stay diligent and stay on top of it every day because the bad actors work 24/7,” highlighted the chief information officer and vice president of digital technology at one health system.
Strategies for ensuring security
To ensure they continue to hit an ever-moving target, healthcare organizations are employing myriad cybersecurity strategies. When asked to rank their top priorities, payer and provider leaders agree securing patient or member portal login, securing data access via mobile apps and securing employee system access are the top three priorities.
The increase in digital offerings has prompted this concern for many organizations internally and externally.
“We instituted mobile device management because these devices are increasingly used in healthcare. If you, as an employee, are going to use any of these mobile devices to access our enterprise network, you have to have it passwordprotected, with encrypted data and a GPS component,” emphasized the chief information officer and vice president of digital technology at a health system.
For this health system, these strategies include building an email cybersecurity product and standards around the solution. For example, when a suspicious-looking email comes into an employee’s email, it is flagged, and the user must decide whether to open it.
What is motivating your security measures prioritization?
The success of this strategy hinges on employee education, though. Employees must be trained to understand what a suspicious-looking email is and what to do if they come across one.
“We could alter the velocity or accelerate the timelines for what we want to do. But we haven’t had an ‘ah-ha moment,’” explained the director of application development at a state-based insurer. “We have not thought about something and completely dropped everything to start evangelizing a totally different concept.”
Cybersecurity strategies must be ongoing and continuous, evolving as threats and technology evolve. Continuing education is a key component of that. The speed healthcare digitized in the last two years accelerated cybersecurity timelines, but the underlying strategies did not change. Many understand that strategies need to be robust and varied to simultaneously manage a patient or member population demanding digital offerings and a remote workforce.
“We are shifting away from an on-premise-only security posture to a dual or hybrid type of a model when it comes to our security,” said the senior director of enterprise architecture at a national health plan. “We want to use more cloud-capable or cloud-ready type of solutions for our cybersecurity.”
A hybrid world requires hybrid offerings adaptable to current and future threats.
The increasingly digital world of telehealth visits, mobile health apps and remote workforces has improved patient access to care but simultaneously increased a healthcare organization’s attack surface. As a result, cybersecurity is a top priority for many organizations.
Members and patients move through a virtual world, transitioning providers and payers routinely. Employees do the same, moving between an office and work from home. Healthcare organizations are forced to have a dual approach to access management.
A multi-layered cybersecurity approach will ensure these organizations are prepared. One strategy is not enough to keep up with the ever-changing threat environment.
“We try to have what we call good cybersecurity hygiene, similar to what we go through with physical hand hygiene,” concluded the chief information officer of a health system.
Opportunities for exposure, breaches and attacks are growing rapidly. As a result, keeping patients and employees protected hinges on having appropriate safeguards in place that healthcare leaders can be confident in. However, cybersecurity threats are constantly evolving, so healthcare’s response to these threats must be equally dynamic to ensure patient and employee safety.