Electronic health records (EHRs) are within the countless medical technologies that communicate with each other. The depth of this information enhances the knowledge of industry professionals and boosts care effectiveness. However, its spread is as much of a drawback as it is a benefit. IT professionals must find ways to balance interoperability with the risks associated with a high number of attack vectors.
What Is Health Care Interoperability and Its Importance?
Health care experts juggle countless technologies simultaneously, including imaging machines, at-home medical devices and patient information software. Interoperability describes their connection to each other. Big data, machines and programs must sync and share information without compromising security. It is essential for quick triage, treatment and recovery.
Without secure systems, a single ransomware attack could compromise the golden hour — the first 60 minutes after a traumatic event — for countless in an emergency.
The surface area is ever-increasing, with numerous opportunities for hackers to take advantage of a backdoor or vulnerability. Entry into a customer service program could lead cybercriminals into billing software or an artificial intelligence (AI) database. The lackluster defensive measures of a sensor-based vitals monitor could threaten a hospital’s network security.
The expansiveness is why many could consider the seamless connection between medical devices a threat to patients instead of a boon. Interoperability is essential because information flow from integrations has these impacts on medical systems:
- Greater convenience
- Stronger customer service
- Better access to real-time patient records
- Boosted accuracy
- Improved safety
- Easier collaboration
These oversights must motivate more proactive responses from health care IT professionals to promote continuity of care and enhance the patient experience.
What Threats Arise Because of Interoperability and Why?
Threat actors compromised 51 million EHRs in 2022. Several global shifts caused the influx, with interoperability being part of the concern. The COVID-19 pandemic introduced a new era of health care with widespread telehealth and remote treatment options. These solutions required medical entities to normalize remote access and make systems as connected as possible. It also encouraged more people to have constant EHR access.
Data collection has also become easier and essential for competitive health care. This made information storage a priority, introducing a deeper need for cloud solutions. Not all providers operate with the same transparency or credentials. Hackers could take advantage of the most vulnerable with ease.
The combination of these factors, among others, created the perfect storm for these common cybersecurity threats in interoperable systems:
- Social engineering: More people became potential insider threats to secure systems because of increased access.
- Denial-of-service: Integrations give cybercriminals the choice of what systems they want to overwhelm to create disruptions.
- Ransomware: Connectivity makes it simpler for hackers to spread malicious codes and extricate what they encrypt.
- Phishing: The number of attack vectors gives threat actors more options on where to send campaigns, infecting multiple systems at a time.
How Can Health Care IT Professionals Reduce Risk?
IT staff must take action to make the most out of connected systems before hackers get inside.
Remove Silos
Just because technologies and programs are connected does not imply every department uses the same processes to store, transmit and use data.
Complications like cumbersome shadow IT, which is software and hardware that run outside of what’s sanctioned by the company, prevent interoperability from being as secure as it could be. Unauthorized assets can still communicate with the rest, but they might have security oversights, or the third-party provider could stop servicing them. Experts have to ensure procedures across teams use the same digital infrastructure and have the same hygiene habits.
Additionally, vendor lock-ins with legacy systems often force hospitals to use outdated software for their most critical devices, like CAT scanners. Companies can evaluate these partnerships and upgrade them as needed.
Balance Compliance With Proprietary Decision-Making
Health care must use the industry’s best practices from established agencies to receive preliminary guidance on how to manage interoperability. However, there are places where frameworks are insufficient. Medical facilities need to invest resources to comply with rules like HITRUST and ISO.
They should also assume responsibility for finding intermediary solutions for an organization’s current risks instead of awaiting legislative orders. Waiting for industry standards to catch up should not be an excuse for neglecting interoperability.
Limit Access and Data
Interoperability allows many endpoints to have a wealth of information from multiple sources. To keep this benefit available for health care professionals to leverage, IT teams must do two things — harness less data and make it harder to access.
Many authorization strategies can defend electronic resources connected to a network. Least-privilege measures make it so only those who need the information can get it. Zero-trust architecture protects interconnected devices at a big-picture level. It requires all users to request access, treating all entry attempts as a potential threat. Layering these methods with verification protocols like multifactor authentication and encryption will make them even stronger.
Data minimization is also an up-and-coming recommendation that is notably important in guidelines like the GDPR. It reminds all industries, including health care, that not all data is essential. Medical organizations must phase out collection of irrelevant metrics to reduce the amount of information hackers have on victims if they obtain entry.
They must also implement regular schedules to delete or store old data in secure environments outside of the interoperable ecosystem. Using blockchain alongside minimization is proven to enhance privacy while streamlining digital assets.
Reframing Health Care Interoperability as a Cybersecurity Asset
Threat actors see interoperability as a benefit to their operators, but the landscape can switch. The medical and IT industries can transform defensive strategies, making interoperability a protective technique instead of a gap. To do this, analysts must curate solutions based on the most prominent threats to interoperable medical technologies and use the connections between software and hardware to make cybersecurity stronger.
By Zac Amos, ReHack
