Historically, physician practices, hospitals and health systems hired IT vendors to manage their equipment, update business and clinical software, and support their clinicians and staff with tech problems. Those services were typically all that was expected and needed, so IT was considered just another vendor line item on the organization’s operating expenses.
While healthcare’s goals of delivering high-quality care have stayed largely the same over the years, the industry’s technology needs are immensely different and more critical to clinical and financial outcomes. Here are just a few ways:
- Healthcare data breaches of 500 patient records or more (mostly due to cyberattacks) increased from 199 in 2010 to 707 in 2022, according to data posted in The HIPAA Journal from the Department of Health and Human Services’ Office for Civil Rights.
- The annual number of ransomware attacks on healthcare organizations more than doubled from 2016 to 2021, according to a 2022 study in JAMA Health Forum.
- Telemedicine, administrative functions, and certain support services have seen a notable shift toward remote work. Reimbursable services with a telehealth component grew from 0.15% of all claims in January 2019 to 5.9% in January 2023 – a 3370% increase, according to FAIR Health’s monthly telehealth tracker.
- Smartphone ownership in the U.S. grew from 35% in 2010 to 91% in 2023, according to The Infinite Dial running survey by Edison Research.
- The cloud is projected to add $100 billion to $170 billion in 2030 for healthcare companies.
- For health systems currently using AI, almost 85% expect a moderate to large increase in investments in the next one to three years.
As such, IT services have evolved with the times, with companies offering a wider scope of services and greater expertise far beyond “tech support.” Leading IT partners now deliver prevention-focused cybersecurity consulting and training, long-term IT road-mapping, and even devote staff to serve as virtual chief information (vCIO) or virtual chief information security (vCISO) officers for customers.
With this broader, more strategic-focused service offering, healthcare organizations gain genuine partners in operations and administration, rather than just another vendor.
Cybersecurity takes center stage
Protecting healthcare organizations from cyberattacks and responding to unauthorized network access and data breach incidents have always been part of an IT partner’s services. Since 2020, however, attacks have grown at unprecedented levels, requiring greater vigilance from providers and administrative staff, but even more so from the IT partners that support them.
Last year, for example, as many as 95% of health systems, hospitals and other provider organizations in North America experienced a cybersecurity incident, with only 5% of respondents stating that none occurred, according to survey results from Claroty.
Worse yet, 78% of respondents reported that the impact of the incident was at least “moderate,” affecting the efficiency of care delivery, including 16% reporting a “severe” impact where patient health and/or safety was affected. For two-thirds (67%) of the organizations, associated costs with these incidents ranged from $100,000 to as much as $10 million.
The growth seems to stem from threat actors sensing a security vulnerability opportunity during the early waves of the Covid-19 pandemic. The volume of ransomware attacks – where cybercrime groups infiltrate and hold IT systems hostage until a ransom is paid – grew so rapidly that in late 2020 the FBI issued a rare advisory, specifically to healthcare organizations on how to protect themselves.
Threat activity, however, has not waned since then as healthcare received an average of 1,410 weekly cyberattacks per organization, an 86% increase over 2021 and the second most of any industry, noted Check Point Research.
It is notable that the FBI initiated such a public cybersecurity intervention specifically for healthcare providers. The lengthy advisory demonstrates the tremendous need for relevant expertise in the industry, but also how integral IT has become in protecting patients, as well as an organization’s financial and operational sustainability.
This threat extends beyond the hospital and practice walls. More patients than ever are accessing care and sharing data through telehealth and remote monitoring at home. Meanwhile, providers and remote administrative staff often need to access networks, applications, and protected health information at a home office or on a mobile device, which pose their own security risks.
Evolving with the times
These threats and vulnerabilities, as well as the emergence of new technologies like Generative AI, are why IT partners serving healthcare have evolved beyond delivering only stop-gap measures to developing enterprise-wide cybersecurity strategies.
Such a comprehensive approach likely includes elements such as an assessment of all security vulnerabilities, blocking potential entry points, continuous monitoring for threats, rapid response protocols, and backup systems and servers so the organization can protect data and maintain operations.
Operational continuity is particularly important in communities with provider and hospital shortages. Shutting down a facility or system in these areas for three to four weeks – according to an estimate by an American Hospital Association cybersecurity advisor – due to an incident could mean risking patients’ health and safety.
Unfortunately, in some of these underserved communities, identifying qualified partners that offer comprehensive cybersecurity and strategic IT support can be more difficult. A few key attributes of an ideal IT services partner include:
Healthcare expertise: Healthcare organizations may use some of the same IT equipment and applications as other industries, but a qualified IT partner needs to have an in-depth understanding of the complex regulatory environment in healthcare and unique workflows of clinical and administrative staff. In other words, no other business operates quite like a healthcare organization. Moreover, the needs of a high-volume orthopedic or dermatology group practice are vastly different than a multi-hospital health system serving an entire state. A true partner needs to understand those differences and have a plan for every type of entity.
Best-of-breed technology: Along with industry knowledge, the IT partner needs to offer and manage best-of-breed technology tailored to the organization’s needs, whether for clinical or business use, or enterprisewide. The partner should also offer alternatives if the organization has already implemented best-of-breed technology that is failing to help it reach its clinical and/or financial goals.
End-to-end proactive security: Cybersecurity needs to be a major priority for all healthcare organizations, perhaps the most important, considering the potential enormous financial and operational impact associated with an incident. An IT partner must have deep expertise in every aspect of healthcare-exclusive cybersecurity, especially the new tactics used by threat actors, and the complex security and privacy requirements of HIPAA.
The safe and secure way forward
Looking back 20 years, when fewer than 18% of physician practices used electronic health records, few experts would have anticipated how information technology has changed healthcare. Thanks to IT, the volume and types of data generated and the speed at which they can be analyzed are vastly different than decades ago. Unfortunately, IT also is used as a weapon today to hold provider organizations hostage. Now is the time to devote the attention and resources that IT requires.
The risk is that attention may turn into a costly distraction that begins to detract from the quality of care and experience providers deliver to patients. Instead of waiting for such a crisis, providers who determine a need to improve their IT cybersecurity stance could turn to experienced and qualified healthcare technology experts who can protect their organizations from such internal and external technology-related risks.
Of course, relying on partners for IT services and trusting them with patients’ PHI raises its own concerns and risks, including sharing control of systems, loss of some visibility and potential difficulty communicating. As described earlier, optimal partner selection is essential in mitigating these risks. In addition, when forging service agreements, healthcare organizations should establish their data and systems control and visibility requirements, as well as expectations about communication, scalability, regulatory compliance, accountability, and any other concerns.
Explicitly documenting the healthcare organization’s requirements and expectations within the agreement can help avoid surprises down the road. It also can increase the likelihood of a successful partnership resulting in secure and protected data and systems, time and cost savings, and proactive support for providers so they can deliver the best outcomes for their patients.
This article was written by Frank Forte from MedCity News and was legally licensed through the DiveMarketplace by Industry Dive. Please direct all licensing questions to [email protected].