Healthcare organizations are facing an unprecedented number of cyber attacks. In 2023, the most recent full year data, healthcare organizations in the U.S. saw 128% more ransomware attacks than the previous year. Worldwide ransomware attacks against the healthcare sector have steadily increased and nearly doubled since 2022, reaching a total of 389 victims in 2023 compared with 214 in 2022, according to the Office of the Director of National Intelligence.

It’s clear public sector health organizations need to bolster their resilience to keep vital systems, applications and data secure, always available and accessible to deliver services and maintain patient trust.

At the same time these healthcare organizations face more cyber threats, their reliance on those same technological advancements promise to transform mission-critical healthcare services in an increasingly digital industry. Healthcare organizations will continue to rely on technology to deliver data insights to help providers deliver high-quality patient care and promote the health and well-being of the community.

Agencies need to figure out how to strike the right balance between protecting data and systems and making those systems accessible to doctors, nurses and patients.

Walter Reed Hospital in Bethesda, Maryland is at the tip of the spear when it comes to putting people and security at the forefront of a new healthcare delivery model.

Cmdr. Dr. Isaac Schwartz, the chief health informatics officer for the Defense Health Agency in the National Capital Region, said they are about to go live with this new model.

“This basically is an opportunity to re-envision the way that we use people, processes and technology to deliver healthcare. I think that the key reframing of our mission is that instead of physician first, we are pivoting to being patient first and person first, and so we’re leveraging the processes and technologies we have with data, with standardized processes in our new electronic health record MHS Genesis, to really just re-envision what our top priority is: Taking care of the patient as quickly as possible,” Schwartz said on the discussion Cyber Resilience in Healthcare: Safeguarding data in a digital age. “In a way that stays respectful to their personhood and also leverages the expertise and brilliance of our staff population.”

At the center of the care effort

Schwartz said the electronic health record is not going to be a hospital concept, but one that is focused on the person. He said DHA will navigate the levels of cybersecurity, the levels of accessibility and control over that data with a focus and a respect for the person who owns that data.

“It is a really interesting problem set that we’re going to need to solve as a defense agency, but also as a healthcare system in the United States,” he said.

Chris Nichols, the program manager for enterprise intelligence and data solutions at the Program Executive Office Defense Healthcare Management Systems (PEO DHMS), said his organization has been on a technology modernization journey for several years with an eye now toward putting patient data at the front of the care effort.

“I want to have the right application programming interface (API) structures to leave the data where it needs to be, build the right mesh capabilities around it and make it more secure,” Nichols said. “Then bring the users, bring the data scientists that we have and our partners into the platform to leverage that data to keep it more secure. These kind of conversations are really what’s happening. I’ve seen more and more around with a lot of cross-agency collaboration. We meet with [the Centers for Disease Control and the Department of Health and Human Services] on a monthly basis, and with our partners in these other organizations. But that is really driving a better conversation in the cyber space, I feel like, across the agencies.”

Over the last few years, PEO DHMS has set itself up to have those conversations and take advantage of APIs by consolidating 24 data warehouses and replatforming over 30 applications by taking them to the cloud.

Nichols said the ability to use APIs and the IT modernization improvements are even more important because only 40% of all care to servicemembers and their families is actually delivered in military treatment facilities. The rest of it is delivered out in the purchase care side in the private sector so those healthcare organizations have to share data back and forth with DHA seamlessly.

A holistic, integrative approach to healthcare

Putting the patient first also means agencies must ensure their employees are empowered by both the technology and the organization more broadly.

Jothi Dugar, the chief information security officer and NIH Wellness Ambassador for the Center for Information Technology at the National Institutes of Health, said her office has taken a human-centric approach to both IT modernization and cybersecurity.

“We move into more of a whole person healthcare system at the NIH, and just worldwide, where we’re not putting Band Aid fixes on conditions as we were before,” she said. “We’re really focusing on taking more of a holistic and integrative approach to healthcare and in technology as well. When we talk about mind, body, energy and healthcare in technology, we focus on people, processes and technologies. Over the years, we’ve pretty much only focused on the technology part, maybe a little bit on the process, and we really need to shift that perspective and looking at the people first, which includes culture change, change management principles and what do we need to do to empower our people, not look at them as our weakest link, but look at them as our highest or most prized assets. What do we need to do to help empower them in terms of education, awareness, training and embed the technology principles and cybersecurity principles into everyone’s roles.”

Dothi said NIH started an optimize security initiative in 2021 that has led to bringing 27 different NIH institutes and organizations together around specific principles. She said this lets each organization realize what their role is in technology and cybersecurity and embed the security requirements in the technology from the beginning of a project.

“We also enlisted cyber champions across the NIH, who are people that are outside of technology and cybersecurity, who are willing to learn and they’re willing to explore these fields so that they can they can then take it back to their groups and their organizations to drive these principles,” Dothi said.

FDA’s network as a foundation

The Food and Drug Administration over the last few years also has made a similar pivot as the NIH, where the focus shifted from the technology to the people and processes.

Vid Desai, the chief information officer for the FDA, said if they don’t improve the processes, then the cost of the management and implementation of the technology may be higher than previously.

But Desai also recognized that modernizing processes is far harder than modernizing technology.

“In 2023, we published our first FDA IT strategy and it’s got six elements. Essentially, it focuses on creating a shared one FDA ecosystem, strengthening our infrastructure, modernizing our capabilities, most importantly, focusing on data and mission outcomes,” Desai said. “And obviously, we can’t talk anything about technology without thinking about innovations which are happening constantly. Artificial intelligence is going on right now, and my most favorite one, which is cultivating talent and leadership. Nothing sticky happens without making sure that you have the right talent and the right leadership because organizations will change, people will change and leaders will change. We want to create and do something that’s going to stick around and continue so that last point on talent, leadership is very, very important.”

At the same time, Desai said implementing the right network architecture is important to everything from operations to disaster recovery to cybersecurity as well as ensuring employees don’t have a bad experience with the new technology. If they do have a poor user experience, he said it’s more likely they will figure a way around it, thus increasing the organization’s risk.

The idea of putting the person at the center of healthcare IT modernization and cybersecurity initiatives isn’t just happening in the public sector.

Driving toward mission objectives

Bri Morgan, healthcare industry advisor at Splunk, said all healthcare organizations must ask the right questions about the availability and accessibility of systems, services and data.

“We’ve just seen so many investments in e-health and the goal is to have these web-enabled systems that really can connect us as an enterprise over distances, expanding that organizational boundary with the goal of streamlining operations or creating better access,” Morgan said. “It’s not just the investment in the technology, it’s the consideration of the workflow and processes, the users of the systems, the consumers of the data and making sure that we’re really driving toward the mission critical objectives.”

Morgan said there is an increasing number of clinical informaticists, so the systems and employees’ skills must match so they can deliver the best healthcare to the patient.

Morgan said this is why public and private sector organizations are ensuring they bring in practitioners to refine the system processes.

“We’re not losing sight of the human element in healthcare and really keeping focus on being people centric. We live in this experience era, so we’re going to see a lot of digitization and operational clinical workflow right at the point of confluence. But what we’re hearing is that’s not necessarily how we solve challenges through technologies, that process and efficiencies,” she said.  “Automating those inefficiencies also will not further advance us. So making sure we have the stakeholders that are involved at the stage of ideation when making those investments in any type of innovative technology or modernization, especially when we’re adopting new niche and innovative technologies that do require those cultural shifts.”

Key topics include:

• How evolving mission priorities have shaped modernization efforts over the past 2-4 years
• The impact of technology convergence on patient-centered healthcare
• Adjusting to increasing cyber threats in the health care industry
• Ensuring data, system, and application security and resiliency
• Reducing the attack surface to protect health care infrastructure