Balancing data protection and clinical usability in healthcare

In this Help Net Security interview, Aaron Weismann, CISO at Main Line Health, discusses the growing ransomware threat in healthcare and why the sector remains a prime target. He explains the difficulties of protecting patient information, securing legacy systems, and maintaining cybersecurity without disrupting care.

Weismann also shares practical steps for improving incident response and strengthening defenses with limited resources.

How have ransomware tactics evolved in the healthcare sector, and what makes healthcare such a prime target?

I think there are various iterations of multiple ransoms and blackmail attempts. One is focusing directly on the healthcare delivery organizations (HDOs) as a prime point of attack. Another is focusing on central service providers in the supply chain, which has the added benefit of casting a wider net for impacted organizations and industries. One need only look as far as the February 2024 Change Healthcare incident to see how crippling that can be. Finally, patient dignity is another focus with payments to prevent the release of sensitive and potentially embarrassing patient information like treatment photos, notes, and so on.

I think healthcare is such a prime target because it’s largely easy to compromise and has significant financial disincentives to allow release of exfiltrated data. On the former point, HDOs are awash with legacy applications and infrastructure designed to operate in the patient care space for long periods. Some of that infrastructure, like biomedical devices, could be patched if a patch were available, and there are expedited approval mechanisms for doing so, but it’s unclear that vendors are taking advantage. On top of that, HDO networks were designed to be flat to accommodate frictionless patient care and device intercommunication. The sum of those issues results in a vulnerable environment that’s easy to compromise and traverse.

For the latter point, there are regulatory fines and penalties for disclosing patient information, plus some huge settlements associated with HDO breaches. Those will dwarf recovery costs from a serious breach and can be avoided by paying a significantly smaller ransom. Avoiding fines and penalties also mitigates some aspects of reputational harm. As seen in recent weeks, that reputational harm doesn’t only mean diminished patient volumes, but also financial impacts like downgrading bond ratings. Where margins are thinning, paying a ransom to try to mitigate those impacts might look very appealing.

How should healthcare organizations be thinking about segmenting and protecting sensitive patient data, especially in light of hybrid and cloud environments?

My recommendation: you can’t do too much in this space. Sensitive patient data is core to safe and effective patient care. In my mind, failing to protect it is tacit acknowledgment that safe and effective patient care isn’t a priority.

As far as how to segment and protect it, I think it’s easiest to identify the boundaries of where that data should travel and the stores that should house the data and then try to exclude it from elsewhere. Those boundaries can be relatively broad and generic: EMR, OneDrive, PACS, and so on, but they should be identifiable and contained. Once that’s accomplished, applying a security infrastructure on top of that to maintain it where it ought to be and keep it accessible is a matter of selecting the products that work best for your team and environment. That’s admittedly an absurdly reductionist view of data security but highlights what I think are the core elements of blocking and tackling data security.

What are the unique challenges in securing electronic health records (EHRs) and other legacy systems still widely used in healthcare?

Clinical friction is a key challenge and motivation for my security program. The more barriers put in the way of data access, the greater the friction for clinicians, and the larger the contribution to clinical burnout, which is currently a serious problem in the medical field. It’s critical to be able to balance good data safeguards with clinical access needs. That requires extensive conversations with clinical operations, a deep understanding of their workflows and testing how security measures will impact that balance.

Otherwise, it seems like vendors aren’t jumping at the chance to update and patch their infrastructure. I don’t think that’s unique to healthcare, but combined with the generally flat network and historical underinvestment in information security, it’s an acute issue for HDOs.

How can healthcare organizations strike a balance between cybersecurity and clinical usability, ensuring security doesn’t disrupt care delivery?

Understand the business and educate your clinical peers. There’s a careful balance between information security, which inherently restricts data use, and care delivery, which wants very open access to patient data. If a cybersecurity team doesn’t understand the business workflows, then their data safeguards may be applied haphazardly in relation to organizational workflows and needlessly introduce significant friction in, and barriers to, care delivery. Ultimately, HDOs exist to provide care delivery, so that might result in unwinding critical safeguards.

Understanding the care delivery model and having a conversation with the clinicians responsible for implementing it, however, will result in a much more intelligently applied solution with understood compromises from clinical partners. It also builds partnerships critical for enhancing security throughout the organization since staff are the last line of defense for some of the most prolific ransomware attack seeds.

How can healthcare organizations improve their incident response readiness, especially those with limited security staffing or budget?

Don’t rely on security staff. Rely on the clinical processes that likely already exist. It’s naive to think that information security will come in and deliver groundbreaking incident response and business continuity solutions. Are there recovery objectives they can drive? Sure. Can they build technology resilience? Absolutely.

All HDOs should have on file how to continue patient care in the absence of technology. The existence of that plan is driven by Joint Commission requirements. Where HDOs may fall down is exercising that plan.