Why Health Systems Need to Consider the Importance of Cybersecurity When Evaluating New Software

The escalating sophistication, frequency, and danger of cybersecurity threats facing hospitals underscore a critical concern in today’s healthcare landscape. These incidents have proven their disruptive potential by shutting down hospital networks, denying clinicians access to electronic health records, exposing patients’ personal information, and causing significant delays in the delivery of urgent care to patients.

Data from the U.S. Department of Health and Human Services (HHS) reveals a concerning trend. Since 2010, healthcare breaches have laid bare more than 385 million patient records. The first half of 2023 has been particularly distressing, with numerous incidents highlighting the depth of the issue. Notable healthcare vendors have issued alerts about hacking risks detected in monitoring software, providers of wearable tech have been linked to the exposure of personally identifiable information, and hospitals have fallen victim to ransomware attacks. These attacks have been so severe they’ve necessitated the diversion of emergency patients to other facilities.

Put simply: cybersecurity is top of mind for the entire healthcare ecosystem, especially hospitals.

Regulatory bodies are stepping up their game against cyber threats. For example, the FDA introduced new guidelines, effective October 1, 2023, that will begin rejecting new medical device applications that fail to address certain cybersecurity requirements. In collaboration with the FDA, MITRE has also issued playbooks that focus on incident preparedness and response, providing invaluable advice to healthcare delivery organizations and leadership on how to respond to a cyberattack. Additionally, President Biden has intervened with a comprehensive national cybersecurity strategy aimed at bolstering the nation’s defenses, safeguarding not just hospitals but also schools, government services, and other critical infrastructure.

However, it’s also essential for health system leaders to be proactive and ensure cybersecurity remains a top consideration when selecting a software partner. Hospitals are now more than ever leveraging advanced tech, digital tools and cloud-based software to improve efficiency. While this enhances patient safety and care, it also creates more opportunities for cybercriminals to carry out nefarious activities.

When evaluating potential software partners, it’s vital to carefully scrutinize and seek clear answers to questions like:

• Can you promptly identify cybersecurity events that impact your software and company?
• What capabilities do you possess to respond to and mitigate the effects of a potential cyber incident? Do you have a cyber incident response plan?
• What contingency plans do you have to restore capabilities or services compromised by a breach or attack?

Leaders should not merely rely on a vendor’s assurances. Third-party accreditations, such as those from the Health Information Trust Alliance (HITRUST), provide certifications that verify vendors adhere to the highest standards for protecting sensitive data and information when collaborating with health systems. The HITRUST Common Security Framework (CSF) offers a comprehensive and efficient approach to regulatory compliance and risk management. Organizations certified under this framework have demonstrated their unwavering commitment to ensuring the best possible protection for their customers’ healthcare data. With the CSF framework as their guide, these certified organizations are well-equipped to manage new risks as security and privacy regulations continue to evolve.

The certification combines numerous standards including ISO, NIST, CDPR, and HIPAA, spanning 19 domains – from endpoint and mobile device security to wireless security and configuration management. While the certification is a rigorous process, it is considered the gold standard in the industry because of its comprehensive control requirements, depth of assurance process, and level of oversight that ensures a validated process is in place.

Glytec’s HITRUST Certification stands as a testament to our organization’s commitment to securing and protecting sensitive health information. Our team consistently places emphasis on vulnerability management, security training, software monitoring and other company-wide and platform-specific security practices. We adhere to federal and state regulations, industry best practices and frameworks, and take a risk-based approach toward cybersecurity. Security is not just a priority for us – it’s woven into the very fabric of our mission to help patients.

To learn more about the care and expertise we bring to all of our implementations and the way we work with IT teams to ensure a successful, secure process, read our implementation and support overview.