IHS CISO Says Zero Trust Strengthens Patient Safety, Care Delivery

Indian Health Service (IHS) CISO Benjamin Koshy said cybersecurity is inseparable from patient safety, emphasizing that strong defenses are critical to protecting health data and ensuring uninterrupted care. IHS is embedding zero trust principles to safeguard sensitive information and reinforce a culture of cyber awareness among clinicians and staff as the agency modernizes its electronic health record (EHR) system.

“We’ve basically equated cybersecurity to patient safety. You can’t have one without the other,” Koshy said last week at Palo Alto’s Public Sector Ignite event in Tysons, Virginia. “Cybersecurity issues can cause a real detriment to patient safety or the effectiveness of the clinician to treat their patients.”

Health care organizations are facing a rise in ransomware and data breaches targeting hospitals and patient record systems. Earlier this year, the American Hospital Association (AHA) said health care data can be valued up to $1,000 per record, making it the most valuable personally identifiable information.

IHS Division of Information Security (DIS) Program Manager Solomon Wilson said growing adversarial interest in health care data spotlighted the need to adopt a zero trust approach. Wilson noted that most employees view cybersecurity policies as a hindrance to delivering care. However, he said zero trust demonstrates how strong security can enable better care delivery.

“Security is not there to impact mission delivery,” said Wilson. “Security is there to make this happen in a secure way where data is protected.”

Building the PATH EHR around Zero Trust Principles

IHS provides care to roughly 2.8 million American Indian and Alaska Native people across the U.S., with many of its facilities located in rural or remote areas that still depend on legacy systems. As the agency enters the final phase of its multi-year modernization effort, it’s deploying a new electronic health record (EHR) system built on a zero trust framework.

Koshy said IHS sought a platform that could offer “a uniform overview” of its entire environment to support the transition away from outdated technologies and systems.

“We had facilities that are still using microwave while there’s gigabit internet in major cities,” said Koshy. “We wanted to make sure the platform was robust enough that it could handle those diverse connections and tolerate latency.”

Koshy added that IHS will continue be transparent with end users as the it evaluates new technologies to maintain a strong cybersecurity posture.