Digital Healthcare: What about security?
When the COVID-19 pandemic brought the world to a standstill, the healthcare sector was forced to implement a rapid adoption of digital technologies that was long overdue. The healthcare sector has experienced a steady digital transformation, but much remains to be done. According to the Ontario College of family physicians, physicians spend an average of 19 hours a week on administrative tasks while 93% of primary care physicians report completing these tasks by electronic means. The challenge rests in the interoperability between these electronic medical record systems and electronic healthcare systems and the ability of physicians to share clinical update in a secure manner.
As a result, 40% of physicians are considering retiring within the next five years due to overwork, according to a report by the Ontario Medical Association.
As a result, there is an impetus on interoperability but what about security? :
Healthcare data is critical data coveted by cyber criminals. It includes not only patient health data, but also critical financial information such as credit cards data, physical addresses, family members heath records, suppliers’ data and more.
Over the past few years multiple healthcare providers across Canada suffered several data security breaches. For example, in august, a major hospital in Ontario is incurred a financial loss estimated to be at least $ 7.5 million because of a cyber-attack including major disruption in its operations. Five other hospitals were affected by a cyber-attack through the hack of a single service provider in 2023.
To put the risk of cybercrime in perspective: here are examples of what could happen if healthcare systems are not secured:
- Significant disruption in healthcare operations which in turn could cause substantial disruption on patient care, that could eventually be life threatening
- Exposure of patient data through phishing and ransomware causing expensive recovery exercises and substantial financial loss that a small healthcare provider could struggle hard to recover from
- The ramification of patient data breaches goes beyond the realm of healthcare, for example identity theft, patients and healthcare workers financial data and the list goes on.
- This risk is amplified with artificial intelligence. Where Ai can be particularly useful in digesting huge amount of data and generate to powerful insight supporting decision making, Ai machines can also be used to undermine healthcare systems in various ways from miming human action for deceitful purpose to amplifying existing security and privacy issues.
No one is really beyond the realm of a cyber-attack. Therefore, it is imperative to place cybersecurity at the heart of heart of digital healthcare strategies and standards to strengthen the resilience of the entire healthcare system.
The risk is particularly high among family practices. The Ontario College of Physicians counts more than 18 000 physicians among its members. According to Association of Family Health teams, in 2022, Ontario had approximately 3000 solo practice physicians. These small practices are particularly vulnerable in the event of cyber-attack because they are significantly resource constrained comparatively to larger healthcare providers.
Large healthcare providers such as hospital systems are not without their own challenges. Electronic Health Records (EHR) systems are particularly expensive to develop. Therefore, the EHR market is dominated by a few players. Although significant resources are being invested in securing EHRs, in the event of a global security incident affecting a major EHR, the impact could be significant and impair entire health systems.
- Raising awareness: not everyone is sold on embracing digital technologies, particularly among long standing family practices that are set in their ways on how they have been managing their operations. The use of manual systems or legacy technologies such fax communication does not negate the risk of compromising healthcare data, it’s just more challenging to track and report. Therefore, the benefits of going adopting advanced communication technology outweigh carrying business as usual.
- Diversifying the pool of healthcare technology vendors is imperative to reconsider the reliance on a few players and foster competition in EHR and therefore innovation that should lead to more competitive pricing to ultimately benefit patients. More support should be extended to innovative startups to ramp up the ranks of technology providers while maintain cybersecurity standards.
- Placing an emphasis on cyber preparedness and the development of incident response and recovery plans.
- Building capacity and promote frequent cybersecurity awareness and cyber hygiene trainings among healthcare providers’ staff, particularly with a workforce that has become increasingly mobile because of the COVID-19 pandemic.
- Strengthen cybersecurity protocols and a proper governance structure to support them.
- Report cybersecurity threats and incidents in a timely manner to maintain public trust and contain any breaches that could spread beyond the perimeter of a given healthcare provider systems.