How resilient health IT systems improve patient health and safeguard access to care

By Skye Camalari | ADVOCACY, NETWORK INSIGHTS | 0 comment | 27 April, 2023 | 0

April 27, 2023

Today’s health care organizations face a constant barrage of increasingly sophisticated cybersecurity threats. Research leveraging public and private sector data shows that ransomware attacks targeting health care delivery organizations doubled from 2016 to 2021, and the health care sector continues to be a top target for cyber criminals.

In addition to cybercrime, other known and persistent threats—such as large-scale public health emergencies and natural disasters—are increasing in size and frequency. At the same time, health care providers depend on a digitally connected health information technology (IT) infrastructure to meet patients where they are, as well as robust data analytics to transform care delivery and improve health outcomes. That is why OCHIN is advocating for a stronger, more resilient health IT infrastructure with advanced tools and training for providers in rural and underserved communities to support access to care for all patients, even during a crisis.

Mitigating risk through resilient heath IT systems

The COVID-19 pandemic worsened the health care sector’s vulnerability. A staggering 93% of health care organizations suffered a cyberattack, the cost of a data breach reached a record high at $10 million per attack, and Health Insurance Portability and Accountability Act (HIPAA) complaints and breaches increased significantly. Experts are particularly worried about cybersecurity in 2023 as new threats mount.

Hackers have also shifted their focus from large health care systems to smaller hospitals and clinics that often have fewer resources to adopt and support upgraded cybersecurity infrastructure. Data breaches at a single clinic can expose protected health information (PHI) of millions of patients and shut down operations at community health organizations, threatening patient care in rural and medically underserved communities, damaging trust, and worsening financial challenges.

“The idea of losing our ability to support our patients and families is frightening,” said Colin Robinson, chief technology officer at OCHIN member One Community Health. “The target is firmly on our back, but … with the demands of an ever-evolving pandemic, crippling staffing challenges, and evolving community needs, how does cybersecurity make it to the top of the priority list?”

One Community Health explained why they consider cybersecurity as essential as paying the electric bill:

“We cannot see our patients, pay our staff, or grow our programs with our technology resources held hostage and our doors closed to the public,” Robinson said. “Being the target of cybercrime is unavoidable, and unfortunately, so is falling victim to a compromise of some protected data … but we can build better more resilient systems to mitigate the risk.”

Addressing tomorrow’s threats through investments today

OCHIN is working to do just that by advocating for systemic investments to enhance cyber resiliency, particularly in rural and medically underserved communities that may be more vulnerable in a natural disaster, public health emergency, or cybersecurity crisis. For example, we recently became a member of the Health Sector Coordinating Council Cybersecurity Working Group, an advisory group to the Department of Health and Human Services (HHS).

Since risk mitigation tools and training can be costly, community health organizations need more targeted ongoing support aimed at developing, building, and bolstering cybersecurity defenses and disaster preparedness to protect patient data and avoid interruption of critical operations, such as:

Regional cybersecurity extension centers that supply technical assistance, risk assessments, breach mitigation and disaster recovery support, and staff augmentation services to providers in rural and underserved communities
Community-based health IT workforce development and training to rebuild and modernize community health clinic operational and support staff
User-centric national cybersecurity reporting standards
Clear guardrails for compliance with HIPAA Security Rule obligations and “leveling-up” minimum requirements for providers
Participation in the national strategic planning process between the Healthcare and Public Health Sector Coordinating Council (HSCC), HHS, Department of Homeland Security (DHS), and other essential government partners
Subjecting all technology and software organizations that have PHI or electronic health information (EHI) to HIPAA privacy and security requirements
A uniform operational security framework with 24/7 implementation support from regional cybersecurity extension centers to support widespread adoption, lower costs, and improved overall system security

Providing this support to providers in rural and underserved communities is critical because it would strengthen the disaster preparedness and cybersecurity of the whole health care ecosystem while ensuring that limited public funding is directed toward providers with the least resources. It would enable community-based organizations to adopt essential security measures by allowing them to invest in community-based health IT training and access support from experienced cybersecurity professionals on an ongoing basis. And it would ensure community-based providers do not have to divert scarce resources needed to deliver patient care to support and update their core IT systems.

“We have changed how we protect and prepare for cybercrime,” said Robinson, “but the biggest shift in the organization … has been in our evaluation of the risk and how vital cybersecurity can be to our continued support of our community.”

Building partnerships and solutions to tighten data security

OCHIN’s skilled experts are leaders in cybersecurity consulting for community health-focused networks. For example, we were recently awarded a contract through the federally funded Health Center Controlled Network (HCCN) program run by Aliados Health (formerly Redwood Community Health Coalition) to supply cybersecurity technical assistance to 16 community health centers in California. OCHIN’s HCCN expects similar partnerships soon.

We offer a wide array of direct cybersecurity support services to help community care organizations reduce vulnerability and measurably strengthen security, including:

Regulatory compliance assessments to ensure that providers are following privacy and data protection requirements
Vulnerability assessments that find gaps in providers’ basic security practices and test maintenance processes to ensure minimum steps have been taken to secure networks and hardware
Penetration testing internal and external security to offer insight into possible attacks and ways to prevent them before real damage can be done

Nic Powers, CEO of Winding Waters Health Center, said that performing a vulnerability assessment with OCHIN was important to their organizational infrastructure because it helped them see network security gaps they might have missed. It also recommended ways to close those gaps.

“We absolutely trusted the OCHIN team to identify these opportunities in an efficient and effective way,” he said. “Once we received reassurance that our systems were as secure as we could make them, it enhanced our peace of mind tremendously.”

Learn more about OCHIN’s cybersecurity assessment services, and read more about our ongoing advocacy to support disaster preparedness and cyber resilience in the public comments below: