As healthcare organizations further integrate technology into their operations, the risk of cyberattacks increases — and research shows that today’s healthcare leaders are continually looking for ways to lower that risk.
A recent survey shows that healthcare executives identify data theft and ransomware as the major cyber issues facing their organizations. According to a 2016 survey conducted by CHIME and AEHIS, respondents listed data theft ahead of cyberterrorism and organized crime as the top threat to their organizations. Executives also ranked ransomware ahead of distributed denial of service (DDoS) attacks, hacking, and malware as the system exploit that concerns them the most.
In response to these growing threats, we’ve also seen many healthcare organizations increasing their investments in cybersecurity spending since 2013. The 2018 HIMSS Cybersecurity Survey reports that 84.3 percent of respondents said their use of resources to address cybersecurity has increased.
When you consider the unique nature of healthcare data that requires specialized strategies to maintain privacy and security — and the potential that medical records can be compromised for years, as opposed to credit cards that can be cancelled when a breach is discovered — it should come as no surprise that cybersecurity is now at the top of the agenda for most healthcare leaders.
Deterrence starts with the end user
Among all of the factors that can deter potential cyberattacks, the most important is the end user. At Halifax Health, our extensive training and education, external source warnings in emails, and regular simulated phishing tests have all improved the organization’s safety posture on the staff level.
On the IT level, we have implemented guidelines to block certain email and malicious websites, and to allow appropriate access to USB devices, external storage, and administrative rights that provide another layer of internal security.
Halifax also took steps to mitigate the impact of ransomware and took out cyber insurance that provides financial support in the case of a ransomware attack. We work with third-party security vendors, or “digital traders,” to ensure that the organization maintains control over access to information when dealing with these vendors.
By implementing this type of holistic strategy — what we call our “D3” philosophy (Deterrents, Detection, Deception, and 3rd Party Assurance) — Halifax Health strengthened its capacity to reduce the potential for cyberattacks and their resulting problems before they happen, and to respond in an effective way if any breaches actually occur.
What healthcare leaders can do
Healthcare executives cannot be passive, or presume that their organization will not be the target of cyberattacks. If an organization’s leaders don’t regularly test their network’s defenses against cyberattacks and fall victim to a breach, the term “CIO” could have a new meaning: “Career Is Over.”
Patient information, clinical study data, and internal documentation are all far too important to leave at the mercy of cybercriminals. Understanding what drives hackers and ransomware attackers, and building your organization’s capacity to deter them, are non-negotiable steps in protecting the information on your network.
With the proliferation of devices in the clinical setting, another critical step is establishing and maintaining high-security policies for biomed and IoT devices. An organization’s security network is, as the adage says, only as good as its weakest link.
Taking a top-to-bottom, holistic approach to cybersecurity provides strength for every link in the chain that protects critical data. Most importantly, healthcare organizations of all sizes must make cybersecurity a priority for staff on every level, so that all users can do their part to combat the ongoing threats to the network.
Learn how to protect your organization against cyberattacks
Understanding the threats and vulnerabilities that we face as healthcare leaders — the hackers who try to breach our digital networks; the devices that we give to doctors and nurses that could potentially add vulnerable access points to PHI; and blockchain and cryptocurrency that could allow hackers to demand and receive untraceable payments — is absolutely critical to developing effective cybersecurity strategies.
From the organization’s perspective, the key objective is ensuring that all staff are provided with the tools they need to conduct their work safely, while limiting exposure to cyberattacks and routinely conducting enterprise-wide risk analysis to implement an effective plan to avoid future breaches.
Please join me at the MEDITECH Physician and CIO Forum, Oct. 17 and 18 in Foxborough, MA, where I’ll join Denao Ruttino, VP and CIO of Firelands Regional Medical Center, in discussing effective strategies that you can use to protect your organization and your patients.
Sign up for the 2018 Physician and CIO Forum to learn how MEDITECH Expanse can help you to view healthcare through a new lens, using the most advanced, mobile EHR functionality.