The following is a guest article by Dr. Richard Searle, Vice President of Confidential Computing at Fortanix, Inc.
Today’s world is increasingly driven by technology and digitalization, and the healthcare industry finds itself at a vital intersection between patient care and data security. The rise of cyberattacks, particularly in the healthcare industry, has shone a spotlight on the significant disparity between the healthcare sector’s commitment to cybersecurity and the continually evolving threats it faces.
This stark contrast between the magnitude of cyber risks and the allocation of resources to protect patient data has become an urgent concern. Here we will examine three steps healthcare systems can embrace to strengthen their defenses and protect sensitive patient and organizational information.
Step One: Commit the Necessary Resources
Multiple reports in recent months illustrate how much healthcare lags when it comes to committing resources to cybersecurity. A report by Moody’s labeled the healthcare industry as “cyber poor,” saying it needs to increase security investments to effectively protect patient data.
Further, a survey by the Healthcare Information Management Systems Society (HIMSS) found that most healthcare organizations allocate only 6% or less of their IT budgets to cybersecurity. If that sounds low, it’s because it is; multiple studies have found that enterprises spend anywhere from 10% to 20% of their IT budgets on security on average.
Healthcare systems in the U.S. are under tremendous financial strain. In 2022, for example, the combination of COVID-19, labor shortages, and inflation resulted in one of the worst financial years ever for U.S. hospitals. This has led to conservative spending across the board, including where data security is concerned.
But the problem with a conservative spending approach is that if (and when) a data breach does occur, it will be much costlier to remediate than it would be to spend on appropriate security measures upfront. Health systems need to evolve their views on cybersecurity spending and look at it as an investment rather than a frivolous cost.
Step Two: Don’t Just Implement Security Policies, Follow Them
Security policies and protocols are vital to securing sensitive data, yet while it may sound obvious, organizations need to follow their own protocols for them to actually be effective. A recent Salesforce survey of 400 U.S. healthcare workers found that 22% said their organization doesn’t strictly enforce cybersecurity protocols, while 31% said they weren’t sure what to do in the event a security breach takes place.
And while the survey did find that two-thirds (67%) said their organization embraces a security-first culture, 31% also said they’re not familiar with their company’s security processes and policies.
As is the case in many areas of life, education is a major key in creating a solid foundation for success. Specifically, health systems could do a better job of educating team members about their organization’s security policies, how they work, and why they’re important. Various studies have found that anywhere between 88% to 95% of data security breaches are caused by human error, another indication that the workforce needs to be educated on how to properly follow protocols that protect sensitive data.
Step Three: Educate Yourself and Embrace Next-Gen Technology
The U.S. Department of Health and Human Services (HHS) Cybersecurity Task Force has stepped up its efforts to provide resources that address the rising threat of cyberattacks across healthcare and the public health sector.
In addition, major healthcare organizations such as the Centers for Disease Control and Prevention (CDC) have started using Confidential Computing-powered technologies to protect data at the highest level. The technology has proven effective across several healthcare-related use cases, including protecting against cyberattacks, meeting industry regulations (such as HIPAA), securing AI research, creating a secure landscape for contact tracing, and protecting medical imaging.
One of the biggest benefits of Confidential Computing is that it can be implemented to protect data in all three of its states: at rest, in motion, and in use. At a high level, the technology uses a hardware-based trusted execution environment that prevents access by untrusted users and applications. An important benefit of Confidential Computing is the defense provided to sensitive healthcare data where an organization’s overarching IT infrastructure has been compromised by either external or internal cyber threat actors. This can prove invaluable for economically challenged health systems that simply cannot afford a costly data breach. Consumers also benefit from enhanced trust in the way that their most intimate data is protected against exposure.
In one recent example, Nashville-based HCA Healthcare faces a class-action lawsuit after the theft of sensitive data affected more than 170 hospitals and had the potential to impact more than 11 million patients. The suit claims that HCA “did not use reasonable security procedures and practices appropriate to the nature of the sensitive information it was maintaining.”
This isn’t the first breach of healthcare data, nor will it be the last, but it illustrates how important and valuable implementing the highest level of security can be.
Ultimately, protecting patient data in today’s modern digital age starts with a commitment of resources, strict enforcement of security policies, and embracing cutting-edge technologies. The time has come for healthcare organizations to stop viewing cybersecurity as a secondary concern. The new reality is that data security is a cornerstone of health systems’ responsibility to patients to ensure their well-being reaches beyond physical health. Organizations that understand this and take the steps necessary to protect sensitive data within healthcare systems give themselves the best chance at long-term success by differentiating themselves through enhanced data security in the eyes of their existing and future customers.
About Dr. Richard Searle
With an extensive background in complex systems engineering and the application of machine learning for data discovery, Richard leads the deployment of Fortanix Confidential Computing technology for customers. Richard has served as General Members’ Representative to the Governing Board, and Chair of the End-User Advisory Council, of the Confidential Computing Consortium of the Linux Foundation and he is recognized as a thought leader on applications of Confidential Computing. Richard holds a Doctor of Business Administration from Henley Business School at the University of Reading, has filed patents and published papers on the application of Confidential Computing technology, and is conducting research on the use of artificial intelligence (AI) systems within the context of national security.
