Two speakers at the Foundation for Accounting Education's Healthcare Conference on Sept. 19 discussed the challenges and benefits of technology in the healthcare industry. Joseph Horowitz, director of compliance and audit at Stetson Cybergroup, spoke about cybersecurity risks, and Jim Wiggins, principal of Securible, discussed artificial intelligence (AI) applications. 

Horowitz began his talk by explaining why he likes to scare clients by bringing up recent cybersecurity incidents in healthcare. “What I do in most of my training [sessions] is I scare people first because I think they need to be scared to understand why this is so important,” he said

Healthcare cyberattacks have surged by 136% over the past year, according to Horowitz. He added that hackers do not care about a company’s size; they are looking to steal data and information from wherever they can get it. 

Horowitz said that the money that hackers get on the dark web for patient information is “just phenomenal.” The hackers are becoming more sophisticated, Horowitz said. He characterized them as “very organized foreign entities, state-sponsored, who are trying to get into companies anywhere in the U.S., including infrastructure and government agencies.”

In his presentation, Horowitz enumerated the top five cybersecurity incidents in 2023-2024 thus far, among them the data breach of HCA Healthcare, a major hospital and clinic operator, which affected 11 million patients across 20 states, and the data breach of medical transcription service provider Perry Johnson & Associates, which compromised the personal health information of 9 million people in the U.S.

In healthcare, the entry points for a potential cyberattack are numerous, he said: medical devices, pacemakers, insulin pumps, defibrillators, MRI machines and heart monitors.

The main problem is outdated technologies, Horowitz said. The companies that make these medical devices often do not install the proper security in the software, and patches do not come with them. This is also a problem with office systems: “We are seeing a lot of medical offices that have these old systems that just cannot be patched. The systems are open to the internet because they have to share data with other companies, other patients or subscribers, and the companies that they bought the information from do not have the resources to patch or have gone out of business."

Medical staff are also frequently accessing data remotely. Since COVID-19, a lot of people started and continue to work from home. Horowitz said that he always warns that “those employees working from home don't often have the best antivirus [protections] in their machines.” A lot of companies are allowing them to buy their own computers and not monitoring the security system on those computers.

According to Horowitz, another significant hurdle in securing these systems is that healthcare staff are not educated on online risks, security and training. The Health Insurance Portability and Accountability Act (HIPAA) mandate that anyone working in the healthcare field must get training annually and upon hire is not followed.

In light of these risks, Horowitz suggested some ways to prevent these cyberattacks from happening. One is training medical employees with guidelines on how to protect electronic health information Another is installing controls that can protect personal health information, such as multifactor identification, and strong and complex passwords that are longer than 12 characters and are complexity enabled. 

Horowitz also recommended encryption. Microsoft Office products offer the option to encrypt data, but Horowitz said that usually nobody enables it. He also suggested performing cybersecurity risk assessments. “You really don't know what your issues are until you stand by and try to assess what is part of my problems," he said, adding that companies should perform vulnerability scans and penetration testing on a regular basis. Penetration testing involves an ethical hacker hacking into a company’s systems. He recommends an annual vulnerability scan and yearly schedule for penetration testing. 

For his part, Wiggins talked about AI and its particular context within healthcare. He said that several factors led to the development of AI, including the rise of Big Data, the development of the internet in the '90s, and the advancements in computer processing, Companies have allowed large language models or AI systems to be trained on large copious volumes of information, resulting in large language systems such as OpenAI's ChatGPT, Google’s Gemini, the Quadrilateral Security Dialogue's Quad AI, Meta's Llama AI, and X’s large-language AI called Grok. 

“All of these are trying to push the ball forward [by] mimicking human intelligence. [AI] does this through machine learning where the system is trained. They become more intelligent just like you and I when we go to school; we get exposed to a bunch of information, and that ultimately gets added to our memory and improves our intelligence. These large-language systems through their algorithms are the same basic idea.”

Wiggins explained the evolution of AI and its use in different industries. Healthcare is one of them. AI can provide a variety of insights into areas such as patient outcomes, operational efficiencies for healthcare providers, and different types of delivery services.  “The ability to have all this information that has relatively decent competence across a full range of different domains means that things like X-ray images, MRIs and other medical images can potentially be analyzed much quicker and much faster with high accuracy,” Wiggins said.

With AI, the reading of an MRI can be done in seconds or minutes. Wiggins noted that this doesn't necessarily mean it will fully diagnose 100 percent of what was seen in the image. Still, one of the benefits of AI is being able to take all of that information and have it identify indicators of potential disease. “Diagnostics is a huge potential area for the use of AI because these AI systems know a lot about the human body, different types of medical conditions and diseases." He added that AI is able to look up and flag when a particular image shows the need to be followed up on. 

Another area could be personalized medicine. “Doctors treat us the same way based on basic demographics—our age and gender. Imagine a whole bunch of information about the different gene variant or gene considerations that might contribute to certain underlying factors. AI could analyze that kind of information and all other vital statistics such as resting heart rate, weight or cholesterol levels,“ he said. All those create a personal profile for the patient that could help the doctor create a customized or personalized medicine options.  "AI could help doctors and healthcare providers provide potentially more optimized and personalized treatments.”  

Beyond the patient side of the equation, Wiggins also talked about the healthcare provider perspective. “This is one of the really strong areas where AI can help many different organizations, not just healthcare. Think about scheduling. We all have doctors and healthcare providers who sometimes feel like they are overscheduled and don't have enough bandwidth. With AI, there is an opportunity to get into more of an automation mode.” 

Wiggins noted that AI could also help out with billing and coding as well as other basic types of operational efficiencies—anything from developing and updating policies, forms, procedures and processes.