Well,

if there’s one thing that healthcare’s got an abundance of, it’s data. 

And it goes without saying that safeguarding that data is crucial. 

So we find ourselves with an interesting paradox: data is the foundation of artificial intelligence, yet AI models now pose new and elevated threats to cybersecurity. 

Obviously it’s not that AI is inherently bad, nor is any technology. Whether any tool is labeled good or bad depends on whose hands you put it in. 

So yeah, there are hackers out there getting creative with using AI to take advantage of sensitive data. 

But there are also cybersecurity professionals getting just as creative to prevent such attacks. 

That being said, what does the current landscape of cybersecurity look like in healthcare? 

Well, here are the three of the guidelines that pretty much every healthcare organization should adhere to: 

NIST

The National Institute of Standards and Technology (NIST) cybersecurity framework was originally designed to mitigate cyber risks for federal organizations. 

So it makes sense that compliance is mandatory for all federal agencies, which doesn’t include private healthcare. 

However, its 5th revision covers non-government entities, so it’s recommended that private companies also comply with it.

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) is one that virtually every healthcare professional in the United States is familiar with. 

Compliance is mandatory for all healthcare providers, health plans, business associates, and more – basically, every entity that serves a branch of US healthcare.

CIS

The Center for Internet Security (CIS) Critical Security Controls were designed to protect both public and private organizations from cyber threats. 

CIS compliance is not mandatory, but it’s strongly recommended. It provides a pretty streamlined set of protocols that, if followed, greatly enhance an organization’s security. 

Now if you’re even remotely familiar with cybersecurity then you know none of this is new.

And that’s kind of the point. These fundamentals aren’t going anywhere. 

If anything, executing them well will just become that much more important because AI, in its current stage, is uniquely qualified to present a specific kind of challenge: the ability to handle huge volumes of data. 

If it used to take hackers weeks to comb through an organization’s security system, it can now be done in days using AI. 

So the most likely use-case for AI in a cyberattack would be to: 

1. Consume a lot of information about a security system 
2. Identify gaps in it that can then be exploited

And ensuring that these gaps don’t exist in large part just comes down to executing the basics extremely well. 

So why should you care? And why now? 

Well, there’s the obvious fact that not having a secure organization is a massive liability and a disservice to your patients. 

But besides that, there are 3 changes in the AI and healthcare landscape that you need to pay attention to: 

The growing dependence on AI

As the technology advances, more and more people will become reliant on it – and that doesn’t just include the ChatGPT gurus. 

Most health-tech, med-tech, and digital health innovations are now revolving around AI. Whether it’s AI-enabled EHRs, RPM (remote-patient monitoring) devices, or clinician-assistants. 

That being said, it’s now more important than ever that healthcare’s data goldmine is protected since so many new technologies are being built upon it. 

What’s more is that if this data is tampered with, forgetting the financial and privacy issues, it could also lead to inaccurate clinical recommendations. 

For example, say the data is tampered with in such a way that it’s no longer representative of the entire population for which the model is being deployed. 

This would result in the model making poor recommendations that skew clinicians’ judgments in the wrong direction. Ultimately, this would be incredibly harmful for patients. 

Biases in the data create biases in the model.

Healthcare’s “consumerification”

Every time a health system suffers a cyberattack, it decreases patients’ trust. Unfortunately, there have been several major infiltrations in the past few years alone.

And as patients become more consumer-savvy, they’re also becoming less forgiving of data breaches & privacy violations. 

As a patient-facing business, you’re no longer competing with other practices solely based on the level of care you provide – the entire experience matters. 

And that not only includes the trust that patients have in your providers, but also the trust that they have in your organization as a whole. 

AI’s polymorphic nature 

AI can be repurposed into what’s called polymorphic malware, which is essentially a program that can rewrite itself to avoid detection. 

Now, hackers have been using polymorphic malware for a long time, but AI allows this to be taken to a completely different level. 

For example, imagine the CEO of a company requests a customer support staff for a password reset on one of their accounts. 

Now everyone knows that the CEO’s a forgetful person, so it’s understandable. The employee asks the CEO to facetime them to confirm the password reset, and the CEO happily obliges because they need to make an urgent purchase. 

Fast forward an hour and the account is wiped clean… 

This can actually be pulled off with the help of AI because it can be used to create deep fakes. 

The AI can literally render an image of a person, with their demeanor, generate a voice identical to the person’s, and use those assets to commit cybercrimes. 

In other words, AI is not restricted to text anymore – it can be deployed in a variety of different formats. 

This scenario is an example of AI-enabled social engineering, and unfortunately, it’s not going away anytime soon.

Where’s the proof?

WHO names cyberattacks a global threat

Earlier in November The World Health Organization (WHO) released an article detailing the cyberattacks of major health systems & how they pose a global threat. 

The Director-General, Tedros Adhanom Ghebreyesus made the following statements during the Security Council’s meeting: 

• “Ransomware and other cyberattacks on hospitals and other health facilities are not just issues of security and confidentiality, they can be issues of life and death.”
• “At best, these attacks cause disruption and financial loss. At worst, they undermine trust in the health systems on which people depend, and even cause patient harm and death.”

CrowdStrike adds $218 Million to ARR

Crowdstrike, a cybersecurity giant that serves multiple industries (including healthcare), has done well this past quarter. 

The company boasted the $218,000,000 in net new ARR in its Q2 report, which you can read here.

Bain & Company says US healthcare is spending more on AI and cybersecurity

Bain & Company partnered with KLAS Research to create a report demonstrating the increased spending by healthcare organizations on AI, cybersecurity and other IT investments. 

Part of what’s fueling the growth was the attack on Change Healthcare, a major provider of revenue and payment cycle management. 

Of the companies that increased their technology investments, 70% reported being directly affected by the attack. 

HHS appoints CAIO

The U.S. department of Human Health Services has reorganized itself to expand new roles, such as a Chief AI Officer (CAIO) and a Chief Data Officer (CDO). 

They will be responsible for governing AI policy and data strategy, respectively. 

You can read the release here. 

Proprio using AI in surgery

Proprio’s Paradigm uses advanced AI, machine learning, and more to visualize the entire surgical landscape, real-time. 

This enables surgeons to be more aware of their surroundings while operating, increasing the likelihood of success. 

This is a fantastic example of how AI is being used to make medicine that much more personalized and effective. 

Action Steps

Below are some practical ideas for how you can enhance your organization’s cybersecurity:

• Educate your patients
  • Patients need to know when it’s safe to provide confidential information and when it isn’t. 
  • This could be as simple as mentioning on your website’s contact page: “Do not provide confidential information here.” 
  • You could even go as far as recommending resources to patients about HIPAA, so that they know how to hold healthcare professionals accountable for their privacy. 
• Let your employees know what you’ll never ask for
  • You can tell your employees about the requests that you will never make of them no matter what.
• Have a robust incident-response plan in place
  • In the event that you’re subject to a cyberattack, you need to have clear protocols on how to respond to fend off the attackers while minimizing further damage. 
• Update everything
  • Updates of any software almost always patch bugs that could be exploited in a cyberattack.
• Segment your data as much as possible
  • In the event that a breach is made, having extremely segmented data makes it that much more difficult for attackers to take over your entire organization. 

That’s A Wrap!

See you next Saturday 🙂

Whenever you’re ready, here’s how we can help you: 

1. Newsletters: Our newsletters provide tactical information that innovative entrepreneurs, investors, and other forward-thinking people can use to scale their impact.
2. Community: Coming soon! You’ll automatically be added to the waitlist by joining any of our newsletters.