How healthcare executives can forge a stronger chain against cyberattacks

October 2, 2018 |  Security, Patient Safety

How healthcare executives can forge a stronger chain against cyberattacksAs healthcare organizations further integrate technology into their operations, the risk of cyberattacks increases — and research shows that today’s healthcare leaders are continually looking for ways to lower that risk.

A recent survey shows that healthcare executives identify data theft and ransomware as the major cyber issues facing their organizations. According to a 2016 survey conducted by CHIME and AEHIS, respondents listed data theft ahead of cyberterrorism and organized crime as the top threat to their organizations. Executives also ranked ransomware ahead of distributed denial of service (DDoS) attacks, hacking, and malware as the system exploit that concerns them the most.

In response to these growing threats, we’ve also seen many healthcare organizations increasing their investments in cybersecurity spending since 2013. The 2018 HIMSS Cybersecurity Survey reports that 84.3 percent of respondents said their use of resources to address cybersecurity has increased.

When you consider the unique nature of healthcare data that requires specialized strategies to maintain privacy and security — and the potential that medical records can be compromised for years, as opposed to credit cards that can be cancelled when a breach is discovered — it should come as no surprise that cybersecurity is now at the top of the agenda for most healthcare leaders.

Deterrence starts with the end user

Among all of the factors that can deter potential cyberattacks, the most important is the end user. At Halifax Health, our extensive training and education, external source warnings in emails, and regular simulated phishing tests have all improved the organization’s safety posture on the staff level.

On the IT level, we have implemented guidelines to block certain email and malicious websites, and to allow appropriate access to USB devices, external storage, and administrative rights that provide another layer of internal security.

Halifax also took steps to mitigate the impact of ransomware and took out cyber insurance that provides financial support in the case of a ransomware attack. We work with third-party security vendors, or “digital traders,” to ensure that the organization maintains control over access to information when dealing with these vendors.

By implementing this type of holistic strategy — what we call our “D3” philosophy (Deterrents, Detection, Deception, and 3rd Party Assurance) — Halifax Health strengthened its capacity to reduce the potential for cyberattacks and their resulting problems before they happen, and to respond in an effective way if any breaches actually occur.

What healthcare leaders can do

Healthcare executives cannot be passive, or presume that their organization will not be the target of cyberattacks. If an organization’s leaders don’t regularly test their network’s defenses against cyberattacks and fall victim to a breach, the term “CIO” could have a new meaning: “Career Is Over.”

Patient information, clinical study data, and internal documentation are all far too important to leave at the mercy of cybercriminals. Understanding what drives hackers and ransomware attackers, and building your organization’s capacity to deter them, are non-negotiable steps in protecting the information on your network.

With the proliferation of devices in the clinical setting, another critical step is establishing and maintaining high-security policies for biomed and IoT devices.  An organization’s security network is, as the adage says, only as good as its weakest link.

Taking a top-to-bottom, holistic approach to cybersecurity provides strength for every link in the chain that protects critical data. Most importantly, healthcare organizations of all sizes must make cybersecurity a priority for staff on every level, so that all users can do their part to combat the ongoing threats to the network.

Learn how to protect your organization against cyberattacks

Understanding the threats and vulnerabilities that we face as healthcare leaders — the hackers who try to breach our digital networks; the devices that we give to doctors and nurses that could potentially add vulnerable access points to PHI; and blockchain and cryptocurrency that could allow hackers to demand and receive untraceable payments — is absolutely critical to developing effective cybersecurity strategies.

From the organization’s perspective, the key objective is ensuring that all staff are provided with the tools they need to conduct their work safely, while limiting exposure to cyberattacks and routinely conducting enterprise-wide risk analysis to implement an effective plan to avoid future breaches.


Explore MEDITECH Expanse to see how it can help you view healthcare through a new lens, using the most advanced, mobile EHR functionality.

Explore Expanse

Written by Tom Stafford, VP & CIO, Halifax Health

Tom Stafford is the Vice President and Chief Information Officer at Halifax Health. Tom joined the organization more than 10 years ago after a decade working as an engineer and product developer in the medical device industry. A veteran of the U.S. Navy, Tom holds a bachelor’s degree in aerospace engineering from Embry Riddle Aeronautical University and a master’s degree in mechanical engineering from the University of Central Florida. He is also a certified project management professional with more than 15 years of experience managing technically complex projects. In addition, he holds his Green Belt Six Sigma certification. Responsible for overall leadership in every IT initiative at Halifax Health, Tom blends his engineering experience of optimizing processes and systems with his management skills for mentoring and coaching staff. In doing so, he has created a culture that has put the hospital on Computerworld magazine’s Best Places to Work in IT three years in a row. In addition, Tom won a 2017 Computerworld Premier 100 Award for his leadership and innovative approaches.