Health Equity Gap: Why Cybersecurity Should Be A Priority
by Dr. Erin Jospe for HIT Consultant
There has been a newfound effort to highlight and address the disparity in health outcomes for patients who belong to one or more marginalized communities. Opportunities for health and wellness are dictated by social, economic, environmental, and systemic factors, not by factors that are inherently genetic or physiologic. This means that the color of one's skin, what ZIP code they are born and live in, the education they receive, the food and housing they have access to, and the jobs they hold are the primary drivers of one's wellness and health outcomes.
It stands to reason that anything that further exacerbates the chasm of economic and systemic opportunity will result in additional hurdles to achieving health equity. This creates a tremendous opportunity to apply the lens of health equity to the numerous strategic imperatives a healthcare delivery organization is already prioritizing. We can still implement initiatives that address the foundational stability of health systems, and the opportunities for innovation and evolution of care, while also accounting for the often-unintended consequences they may have. Rather than silo health equity as a clinical issue, it should be woven into the fabric of all work that has the potential to impact our patients from an environmental or economic standpoint. Given the direct impact ransomware and data breaches can have on the physical, mental, and emotional health of our patients, for example, we would be remiss to exclude cyberattacks from the ways we view opportunities and challenges to address the root causes of health disparities.
Cybersecurity as a top priority
Ransomware attacks on healthcare delivery organizations have doubled between 2016 and 2021, with a 94% decrease in time to encryption of data. The exposure of ever-larger amounts of personal health information—and the sophistication and frequency of attacks are only expected to rise further – potentially creates quite literal life-and-death situations. Electronic health records (EHR) encryption, ambulance diversion, delays and cancellations of appointments and surgeries all contribute to negative health outcomes. Time is always of the essence when it comes to care delivery, so it isn't surprising that there are untoward consequences to patients from data breaches and ransomware attacks that impede operations. The full impact to health outcomes is challenging to quantify, but already studies show a rise in 30-day mortality for patients who present with myocardial infarctions during a cyberattack. What is surprising is that this 30-day mortality rate stays elevated long after the data breach occurred due to the mitigation efforts to rectify the vulnerabilities. The very measures put in place – longer authentication processes, faster auto-logout times, frequent and longer password changes – make it harder to provide care when minutes can matter the most.
As if the chaos of a ransomware attack, with diversions and inaccessible EHRs, were not wearing enough on an already overtaxed healthcare team, the remediation process itself can further complicate operations well past the acuity of a breach. Addressing the cascade of operational and clinical consequences is an area of cybersecurity that warrants broadening the conversation from IS and IT leadership, to one that represents all health system stakeholders, including clinical leadership. Tabletop exercises are crucial to an evolving and successful cyber strategy, but so is visibility to the impacts and expectations across the organization, which should translate into broader involvement and a sense of ownership among numerous health system leaders. In addition to creating a culture of stewardship, as well as an opportunity for a practical infusion of workflow and user perspectives, we should think about the patient experience, and how cyberattacks – both their prevention and remediation – may inadvertently contribute to disparities in patient health and financial outcomes.
Cybersecurity and patient advocacy
An important first step is recognizing the deterioration in health outcomes that can occur due to our approach in preventing, navigating, and overcoming cybersecurity attacks. But we also need to acknowledge that these worse health outcomes disproportionately impact people of color, the poor, and the elderly.