Why Google is working to improve rural healthcare cybersecurity

Google is taking significant steps to help rural healthcare networks become more secure and resilient against cyberattacks. Here’s why.

Healthcare organizations have wrestled for decades to protect complex and critical technologies that are vital to their core mission of helping sick people get better. The proper functioning of our society depends on the ability of people to receive timely healthcare, yet cyberattacks against healthcare organizations are making it harder — and the attacks are getting worse. 

In the first half of this year, attacks on hospitals and their suppliers have disabled payment systems, prevented patients from receiving the care they need, and in some cases, have made it unsafe to be a patient at an impacted care facility. Hospitals and clinics have been pushed to the brink, with some being forced to permanently close. 

Rural communities across America are especially vulnerable to these threats. Estimates suggest more than 60 million people are served by 1,800 to 2,100 rural hospitals and clinics, many of which are critical access hospitals located more than 35 miles from another hospital.

That might not seem like a long distance, but a cyberattack can force someone suffering from a catastrophic injury to be diverted from their closest hospital to one further away. For patients and staff who remain inside an impacted hospital and can’t be moved, their experience changes, too. 

When computers deliver and coordinate care suddenly stop functioning, other services deteriorate. Radiology services needed to diagnose strokes, systems in the NICU that keep very sick babies under constant surveillance (and warm), bedside medication administration systems to ensure proper medication delivery and dosages, and even basic electronic medical records (EMR) for patients have all been degraded or stopped by cyberattacks.

While clinicians do their best to keep track of everything with paper and pen during a cyberattack that takes down their EMR system, no access to patient medical records can slow or even halt simple procedures that saves lives. We don’t have to imagine these real-world consequences of cyberattacks against healthcare because we’ve seen them happen, repeatedly. 

All of this presumes that a cyberattack isn’t impacting multiple medical facilities in the same vicinity, and hopefully, the hospitals to which patients are diverted are capable of treating patients with the same level of care. 

The White House, Department of Health and Human Services, the Health Sector Coordinating Council, and others are putting significant effort into identifying systemic challenges, and working with organizations including Google to come up with real and defined solutions to improve cyber resilience for rural health facilities. We’re excited to see this new direction, and we’re here to support communities and health systems.

The Biden-Harris administration published a fact sheet on June 10 summarizing the White House response to these attacks. Recognizing the unique role that healthcare organizations play in their communities, regions, and across the nation, the White House emphasized the public-private partnership needed to better secure hospitals and other healthcare organizations.

As an early innovator and proponent of secure-by-design technology, Google has been working across industries to provide access to and onboarding support to implement the same security tools and practices that keep Google safe to organizations of all types. Today, we are bringing these technologies to healthcare organizations, some substantially discounted and many others at no cost, to help improve their agility to defeat cyber threats, and mitigate cyber risks that may otherwise undermine their availability.

We support the White House’s efforts in achieving that outcome. We believe organizations, including Google, can help in a few different, unique, and important ways, and we welcome the opportunity to contribute.

Secure by design, secure by default

We know that many health systems have acquired and operate technology that was built for interoperability, but not with strong security measures in mind. 

At Google, we develop secure by design technologies that have been engineered with security from the get-go, not bolted on afterwards. Fortunately, the U.S. government and other governments around the world have been encouraging and, in some cases, mandating shifts to secure by design and by default technologies. Critical to the security and resiliency of healthcare technology, secure by design and by default encourages four essential principles: 

• How customers actually use products, even when those uses are inadvertently risky;
• How the developer ecosystem can encourage vulnerability and error prevention;
• How grounding software in properties that remain consistent even when under attack can strengthen resilience; and
• How understandability and assurance can verify those grounding properties, even at scale.

Technology that shows up in a hospital must be secure by design and by default. It must be increasingly easy to maintain, upgrade, patch, and eventually replace when needed. It must not add more complexity to already complex environments. It needs to work safely, after it has experienced an attack, or indeed, during an attack. The makers of these technologies know that the only way to achieve these outcomes is to ensure that protections are built in from the start.

Share information on threats, countermeasures, and successes

Information sharing is a vital component of securing the healthcare sector. We need better mechanisms to capture and share information that include and surpass threat intelligence. This includes data-supported conclusions about which practices work, and ensuring that they are informed — but not solely driven by — incidents and failures. 

As part of Google’s pursuit of this goal, we have been developing partnerships with multiple information sharing and analysis centers, including the Health ISAC, across more than 10 critical infrastructure sectors — and we plan on doing more. We are eager to support organizations such as the Health ISAC and Sector Coordinating Council continue to get stronger at executing their key function: sharing information. 

We need to reduce barriers to sharing information, too. More organizations should be sharing information at increasing levels of sophistication: It’s just not enough anymore to merely consume it. Organized, rapid intelligence-sharing, and verifiable responses can mean the difference between a successful defense and a vulnerable one.

Put Google’s security tools and trainings in the hands of hospitals

Google will put our own collaboration and security products into the hands of hospitals and healthcare organizations that need them, most at no or very discounted cost. We are offering products, implementation services, and support to eligible organizations to support their adoption, as well as additional cybersecurity training. Organizations interested in more details on the following offerings should email rural-health@google.com.

This post originally appeared as part of Cloud CISO Perspectives. For the full version of this post, including more details on our offerings and training, click here.