Original Post: http://www.hcanews.com
By: Fernando Martinez, PhD, and Bob Chaput
The cyberthreat landscape for hospitals and other healthcare organizations is changing. Healthcare organizations continue to be the subject of attacks by hackers seeking access to patient data for resale on the black market. Even more ominous are the increasing instances of ransomware attacks, where cybercriminals literally shut down hospital operations by encrypting all of the hospital’s data until a ransom is paid.
Texas is no exception. In the past 12 months, the Office for Civil Rights (OCR), in the US Department of Health & Human Services, opened investigations into 21 Texas healthcare organizations for data breaches affecting more than 437,000 individuals. In addition, the number of ransomware attacks hitting healthcare providers throughout the state has been on the rise.
The Texas Hospital Association (THA) recognizes the need to be proactive in the face of evolving cybersecurity threats. To that end, THA is hosting the first annual Texas Healthcare Security and Technology Conference, April 19 and 20, 2018, in Austin, Texas. The conference is designed to bring together healthcare information security experts from across Texas and beyond to share best practices in planning for and responding to cyberthreats.
Traditional approaches to cyber risk are becoming less effective. The new era of cybersecurity requires hospitals and healthcare organizations to approach cyber risk with new tools, new strategies, and, most importantly, a new risk identification focus. Three important facts about cybersecurity in 2018 underscore how the healthcare industry’s approach to cybersecurity has been transformed in the last few years.
1. Cybersecurity is now a team sport. Not so long ago, cybersecurity was an obscure function relegated to the computer nerds in the information technology (IT) department. Not anymore. Cyber risk management is now an enterprise-wide risk management issue. The spread of ransomware and other equally destructive malware threats means that an organization’s entire business operation may be at risk. Patient safety has become an issue as well.
This is why interdepartmental cooperation has become so important. Cyber risk management is an issue that should involve not only the IT department, but also operations, quality, security, clinical, engineering, compliance, finance, legal, risk management—literally every department in the organization. Each has a role to play in identifying and mitigating cybersecurity threats.
Likewise, every individual associated with the organization—from the chief executive officer to the volunteer who works part-time at the reception desk—needs to be engaged with cyber risk management. It only takes one person—one employee who clicks on a phishing email, or one volunteer who uses the word “password” for their password into the system—to expose an entire hospital network to a cyberattack.
2. Boards have to be “on board” for cybersecurity efforts to be effective. An organization’s board of trustees does not have to understand the difference between WannaCry and SamSam (two types of ransomware attacks), but they do need to understand what is at stake. Data breaches can (and have) led to fines, penalties, legal costs, class settlements, and reputational damage running to tens of millions of dollars.
Patient safety is also a serious issue. A hospital shutdown due to a ransomware attack, or hackers accessing internet-connected medical devices, could threaten patient lives. Board members need to understand the scope, likelihood and potential impacts of cybersecurity attacks. Only then will they have the information they need to make informed decisions about budgeting resources to mitigate those risks.
3. Compliance is necessary, but not sufficient, to protect from today’s cyberthreats. Many healthcare organizations focus on compliance with the security and privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA). Although it is very important to have HIPAA-compliant security measures in place, compliance is only one small part of a much bigger information risk management picture. A comprehensive risk management program includes an enterprise-wide analysis of all information assets and exposures.
Furthermore, a comprehensive program entails adopting a risk management framework, such as the NIST Cybersecurity Framework, implementing a rigorous process, and adhering to a continuous process improvement mindset. Because the cybersecurity landscape continues to change and evolve, a “once-and-done” process, or a simple compliance checklist, is not sufficient to protect an organization.