Is the critical healthcare infrastructure protected?
‘The health authorities: With paper, pen and fax against coronavirus’ was the headline in the press in 2021. The digital connection and thus the networking of GPs and specialists, hospitals and laboratories with the health authorities were criticised. According to the plans, the health authorities in Germany should have long since reached their highest level of digital maturity. The pandemic ultimately opened up a significant gap. But it wasn’t just the fast, networked transfer of data that came under discussion. IT security in the critical healthcare infrastructure has also come under scrutiny since then. How secure is patient data in hospitals? Is information and data security guaranteed at all times for those involved in the healthcare sector? And are IT security solutions really as robust and reliably protective as they claim to be?
The digital hospital
Exposed quote:
‘The more digitalisation in the critical healthcare infrastructure, the more important security becomes, it’s that simple and at the same time highly complex.’
CISO establishes security architecture
IT security is not a niche, but a necessity that permeates everything. The critical healthcare infrastructure is no exception. The number of hospitals that have to fulfil the requirements of the IT Security Act will increase in the future, regardless of the legal obligation. The requirements and necessities of digitalisation have given rise to new positions and departments responsible for information and data security throughout the company. Clinics are increasingly setting up Security Operation Centres (SOC) run by their own experts. This should enable hospitals to analyse external hacker attacks in order to keep their own IT systems and IT infrastructures stable and protect them from damage in the face of increasingly complex attack technologies.
With the SOC, IT security is not only taken into account in patient care, but also with regard to medical and building technology. The Chief Information Security Officer (CISO, all genders) is responsible for all corporate and cyber security. Their area of responsibility is far greater than that of the Chief Security Officer (CSO, all genders) or a head of department for security. A CISO, whether working in a hospital or a health authority, develops a holistic overall strategy for information security, but is not organisationally anchored in IT, but usually reports directly to the CEO or CIO.
Translated with www.DeepL.com/Translator (free version)
Convince of the necessity
Based on an interdisciplinary strategy, a CISO creates a customised analysis of all systems and processes to ensure a protected and robust security architecture. The CISO optimises security guidelines, controls identity management and leads training and awareness courses for employees. Communication skills and strong assertiveness are essential, especially when a CISO has to convince people of the need for IT security and adjustments to processes within the company. The discussion about the relevance of the role ends at the latest when the CISO manager intervenes as a ‘Superman’ or ‘Superwoman’ to save the day in the event of a security incident. Anyone who underestimates such incidents or IT gaps and cyber attacks is blatantly underestimating the role of the CISO.
Security where threads come together
IT security experts in the critical infrastructure have their work cut out for them. In hospitals, they often find IT systems and software applications that run in parallel like a patchwork and are not always compatible. This represents a gateway for spying on sensitive data. In addition, these experts must take a forward-looking, strategic view of clinics as interfaces for the networking of practices and health insurance companies. Multisectoral networking beyond the boundaries of the hospital, from nursing care to outpatient care in doctors’ surgeries, is also a sustainability goal formulated by politicians.
Processes and responsibilities will continue to change in the course of digitalisation; there is no going back and it would also be against any progress. HAGER Executive Consulting, which has focused on digitalisation and networked technologies since it was founded over 25 years ago, has been observing the challenges for a long time. The more technology and AI are used in therapy and diagnostics, the more complex the IT security requirements become.
Managing the latter, while always striking a balance between data security and business effectiveness, is the task of specifically trained IT security experts. Wherever the threads need to come together quickly and transparently, whether in laboratories, health authorities or clinics. However, this requires a change in mindset and a culture of urgency among many of those responsible. Once again: IT security is not a niche area, but permeates all areas of the healthcare sector. Politicians should not always have to demand or even force measures. Personal responsibility is required.
The message of optimised IT security has not yet reached everyone. Ignoring it would mean exposing yourself to avoidable risks and, above all, an enormous loss of trust on the part of patients.
Read also: Two steps ahead: How leadership succeeds in the digital transformation
The authors: Dr Markus Neumann, Head of Business Unit Life Sciences & Healthcare and Michaela Bender, Manager Healthcare