Moving Forward with Digital Transformation, with Cybersecurity in Mind
The forces of disruption and innovation—whether in the form of new business combinations such as CVS-Aetna or big technology companies like Amazon coming into healthcare—are undoubtedly impacting the healthcare industry and likely herald some seismic shifts in the industry landscape. Just in the past year, the industry has seen CVS’s acquisition of Aetna, the announcement from Amazon, Berkshire Hathaway and JPMorgan Chase & Co. of a new healthcare venture, Cigna’s acquisition of pharmacy benefit manager company Express Scripts and Amazon’s acquisition of online pharmacy company PillPack.
According to a new survey from BDO USA, a Delaware-based accounting and advisory firm, and NEJM Catalyst, 87 percent of healthcare leaders at patient care organizations predict Amazon, of all the new entrants in healthcare, will be have the most significant impact on the industry by 2020. It is against this backdrop that many healthcare organizations are focused on digital transformation initiatives, driven by a need to increase revenue and profitability, improve the patient experience and boost operational efficiency.
According to BDO’s Middle Market Digital Transformation Survey, which polls C-level executives at companies with annual revenues between $250 million and $3 billion, 94 percent of mid-market organizations have either developed a digital transformation strategy or are in the midst of developing one. Among healthcare organizations, 37 percent are currently developing a digital transformation strategy, 28 percent have developed a strategy but haven’t yet implemented it and 24 percent are implementing a strategy, according to that survey, which polled executives in the healthcare industry well as the natural resources, financial services and retail industries.
At the same time, healthcare is the most stressed of all industries when it comes to cyberattacks and data privacy breaches, with 43 percent citing it as their biggest concern, according to the BDO survey. While these two issues—digital transformation and cybersecurity—may seem largely unrelated, two technology thought leaders, Gregory Garrett and Malcolm “Chip” Cohron, say the two issues are intertwined, particularly as healthcare organizations face evolving and increasingly sophisticated cyber threats.
In an interview with Healthcare Informatics Associate Editor Heather Landi, Garrett, head of U.S. and International Cybersecurity for BDO USA, and Cohron, national Digital Transformation Services leader for BDO USA, share their perspectives on the current cybersecurity landscape in healthcare, the role that digital transformation plays in a threat-based cybersecurity strategy, and the key considerations for healthcare executive leaders as they move forward with digital transformation.
With regard to the healthcare sector, what are some of the high-level takeaways from BDO’s Middle Market Digital Transformation Survey?
Cohron: We found that, compared to their counterparts in financial services, natural resources and retail, mid-market healthcare companies place the greatest emphasis on developing a digital transformation strategy. More than half (53 percent) cite it as a top digital priority. Healthcare is also most worried about cyberattacks and data privacy breaches. We think the two go hand in hand. Healthcare organizations have a target on their back because of all the highly valuable personally identifiable consumer information they possess. They are also, generally speaking, much further behind in digitizing analog information and manual processes, and their outdated IT infrastructure wasn’t built with security in mind. Because of that, they face greater urgency in digital initiatives like replacing or upgrading legacy IT systems. If they don’t, their cyber defenses are left vulnerable and they’ll have a higher price to pay.
What are some key digital transformation success factors?
Cohron: According to BDO’s Middle Market Digital Transformation Survey, for mid-market health organizations, the biggest barriers to successfully implanting a new digital initiative are 1) interoperability with legacy technology and processes (cited by 60 percent); 2) lack of skills or insufficient training (47 percent); and 3) underinvestment (41 percent). The first barrier is one of technology and the latter two of people, but the challenges are interconnected.
Interoperability initiatives are typically focused on process standardization and data integration. The goal is to make sure data is available, accessible and secure throughout the doctor-to-patient lifecycle, thereby streamlining information sharing and enhancing transparency.
But adopting new standards and embracing information sharing comes down to people. We’re talking about fundamentally changing the way people work. The type of behavioral change needed to make these goals a reality starts with tone at the top. The senior-most leaders of the organization not only need to be bought into digital transformation, but also need to convincingly evangelize the vision. You need your employees to understand why they need to leave the status quo behind, believe in the strategy and engage in the process. Most importantly, they need to understand what’s expected of them.
While an injection of new talent can help improve your overall digital competency, you will also need to provide current employees with the resources, training and development they need to be effective as their roles evolve.
In that survey, 43 percent healthcare respondents identified cyber attacks or privacy breaches as top digital transformation challenges, the most of any industry in the survey. What role does digital transformation play in healthcare organizations’ cybersecurity strategy?
Cohron: To sustainably innovate patient care, health organizations must be able to safely store and analyze patient data—the most valuable resource to the consumer, the business of health and, we believe, the security of a nation. At the same time, with the infiltration of technology into healthcare, consumers expect care to be available at their fingertips, personalized to their individual needs and preferences. They want digital health solutions. If health organizations are to keep up with these demands, not only do they need to digitize their core business processes, they need to reimagine the business of health altogether. We imagine a future where doctors will be able to tailor therapies to patients’ DNA and customize drug regimens, aided by cognitive diagnostic solutions, heralding a new era of precision medicine. Both digital transformation and cybersecurity are key.
Garrett: Digital transformation and threat-based cybersecurity go hand in hand. Security is the backbone to digital transformation—and in fact, it can even serve as an innovation catalyst. Taking on digital transformation initiatives like upgrading or replacing legacy IT systems are key to not only increasing operational efficiencies, but also bolstering cybersecurity, as both security and privacy should be embedded into the initiative’s design and architecture. When an organization overhauls their IT infrastructure, their security risks undergo an overhaul, too. Old vulnerabilities may be mitigated or even eliminated, while new ones are introduced. The process of implementation will require a fresh look at how data is accessed and used and can help health companies shift their security resources accordingly, in conjunction with an external threat monitoring system.
How would you describe the current state of healthcare cybersecurity, with regards to the threats healthcare organizations are facing and the healthcare industry’s defense posture?
Garrett: Technology has brought healthcare to consumers’ fingertips and put them at the center of their care for the first time. Now, traditional tech companies are building health apps, wearables and other devices, and consumers are using those to track their health progress and feed data back to their doctor, insurance provider or both. Underlining this new level of capitalization of data in healthcare is the Amazon, J.P. Morgan and Berkshire Hathaway health initiative. While this level of data-sharing is of course net positive for personalized care, it widens the target for cyber attackers.
To manage this growing cyber risk without constraining patient care innovation, a threat-based approach to cybersecurity is key for health organizations.
What is a threat-based cybersecurity strategy?
Garrett: Threat-based cybersecurity is a forward-looking, predictive approach. Rather than—or in addition to— focusing just on protecting critical data assets or following the basic script of a generic cyber program, threat-based cybersecurity concentrates investments in the most likely risks and attack vectors based on a company’s unique threat profile and the external threat environment. The problem with any cyber framework is that it’s relatively static, and typically updated based on historical breach data and lessons learned instead of forward-looking information. Security controls are meant to address specific risks posed by specific threats, which are constantly changing.
The first step to employing this strategy is to assess and take ownership of your organizational DNA, or the data assets and other intellectual property that make you unique—and an attractive target. During this process, health companies must keep in mind that the data assets they value most may not be the prime target for a would-be hacker. Most hackers seek the path of least resistance, more interested in making a quick buck than going after an organization’s “crown jewels.” For example, their data on performance outcomes, which they might value most, is not as valuable to a hacker because it’s more difficult to monetize on the dark web.
Taking patient needs into account, a health organization must determine what digital initiatives are needed to be competitive in the future—while also employing a threat-based cyber approach to anticipate what type of cyber risks could hinder or even arise from those initiatives.
What do the most frequent types of large-scale breaches from 2018 indicate about how health organizations should evaluate their threat environment in 2019?
Garrett: The most frequent types and locations of large-scale healthcare breaches in 2018 were unauthorized access or disclosure and email, respectively. We think this means that to effectively detect and respond to risks, health organizations need to prioritize the following actions. First, bolster access controls like technical policies and procedures to ensure only authorized employees have access to protected health information (PHI) via electronic health records (EHRs) and personally identifiable information (PII). Second, implement stronger audit controls to track and identify internal and external access to and exploration of information systems that contain PHI and PII. Also, organizations need to strengthen intrusion detection systems to more accurately monitor traffic moving throughout their email, network and information system endpoints to identify suspicious activity and clear threats in real time.