Last month Robert Felps and I were fortunate to attend THA’s inaugural Texas Health Care Security & Technology Conference. Great speakers, wonderful host and facility, collegiate atmosphere – a great learning experience overall. Hats off to Fernando Martinez, THA’s Chief Digital Officer, and his team for a great couple of days. Here’s a brief recap of the key takeaways.
REALITY
- Cyber threats are dynamic. Bill Virtue reminded us that there have been more than 4000 ransomware attacks per day since the beginning of 2016 (that’s 2,892,000 attacks in 2 years!), and Michael Echols reported that the cyber criminals are continually learning and sharing information.
- Patient safety is at stake. Randy Yates, Bill Phillips, and Bob Chaput all gave examples of how the proliferation of medical IoT presents an increasing risk of patient harm if an attack shuts down or alters the performance of both diagnostic and treatment equipment, including CAT scanners, ultrasound machines, infusion pumps, and ventilators.
- The real financial impact of a breach can be 10x the OCR fine! The hard costs of notifications can add up quickly, the most common being legal fees, lawsuits, technology support, forensics experts, increased marketing costs, and increased staff time. The less tangible costs of brand damage will be evident in the bottom line. The examples were sobering.
Before everyone fell into complete despair, however, each speaker also offered guidance and remedies – as Bob Chaput of Clearwater put it, “No matter where you are, there is a path forward.” Below are key themes of the speakers’ recommendations, which I’ve labeled “reality management” because another key takeaway from the conference was that there is no such thing as being “done” with cybersecurity because cyber risk management is an ongoing process.
REALITY MANAGEMENT
- Cybersecurity is risk management. This was the title of Michael Echols’ presentation and pretty much sums up all the points that follow.
- Cybersecurity is a team sport. IT cannot and should not be managing cybersecurity in isolation. Everyone in the C-suite needs to understand the role they play in keeping patient data safe and the steps they need to take to get their managers and staff on board.
- A Security Risk Assessment is the essential first step. “You can’t secure your system if you don’t know where the vulnerabilities are.”
- Any device or equipment that connects to the network must be included in the SRA. Even devices that don’t tie directly into the EHR, such as a remote-controlled thermostat on the blood refrigeration unit – or the aquarium in the waiting area! – can be a point of entry for a malware attack.
- Cybersecurity requires a holistic, programmatic approach.
A single, new cybersecurity technology will not make your organization secure. Once the vulnerabilities have been identified via the security risk assessment, addressing those vulnerabilities will require administrative action, process improvements, and staff education and reinforcement, as well as technology adjustments. See #2 – cybersecurity is a team sport. - Establish an incident response plan – and practice it regularly. Organizations that prepare recover faster and incur fewer costs – hard and soft costs – in the event of a ransomware attack or other breach.
- Bottom line: Start now – and continue! Cyber risk management is a continuous improvement process.
In summary: (1) the threat is real and persistent; (2) technology alone won’t solve the problem.
If you’ve been an active cybersecurity player, there are few surprises here. Hopefully, however, it is reassuring to hear that you’re on the right path, and you’re not alone – hospital executives across the state and across the country are working hard to get out of the fire-fighting business and into holistic cyber risk management.
Building a CyberConfident™ World