The cyber threat landscape for hospitals and other health care organizations is changing. Health care organizations continue to be the subject of attacks by hackers seeking access to patient data for resale on the black market. Even more ominous are the increasing instances of ransomware attacks, where cybercriminals shut down hospital operations by encrypting all of the hospital’s data until a ransom is paid.
Texas is no exception. In the past 12 months, the Office for Civil Rights (OCR), in the U.S. Department of Health and Human Services, opened investigations on 21 Texas health care organizations for data breaches affecting more than 437,000 individuals. In addition, the number of ransomware attacks hitting health care providers throughout the state have been on the rise.
The Texas Hospital Association (THA) recognizes the need to be proactive in the face of evolving cybersecurity threats. To that end, THA hosted the first annual Texas Health Care Security and Technology Conference in April 2018 in Austin, Texas. The conference was designed to bring together health care information security experts from across Texas and beyond to share best practices in planning for and responding to cyber threats.
Traditional approaches to cyber risk are becoming less effective. The new era of cybersecurity requires hospitals and health care organizations to approach cyber risk with new tools, new strategies and, most importantly, a new risk identification focus. Three important facts about cybersecurity underscore how the health care industry’s approach to cybersecurity has been transformed in the last few years:
Cybersecurity is now a team sport
Not long ago, cybersecurity was an obscure function relegated to the computer nerds in the information technology (IT) department. Not anymore. Cyber risk management is now an enterprise-wide risk management issue. The spread of ransomware and other equally destructive malware threats means that an organization’s entire business operation may be at risk. Patient safety has become an issue as well.
This is why interdepartmental cooperation has become so important. Cyber risk management is an issue that should involve not only the IT department, but also operations, quality, security, clinical, engineering, compliance, finance, legal, risk management – literally every department in the organization. Each has a role to play in identifying and mitigating cybersecurity threats.
Likewise, every individual associated with the organization – from the chief executive officer to the volunteer who works part-time at the information desk – needs to be engaged with cyber risk management. It only takes one person – one employee who clicks on a phishing email, or one volunteer who uses the word “password” for their password into the system – to expose an entire hospital network to a cyberattack.
Boards have to be on board
An organization’s board of trustees does not have to understand the difference between WannaCry and SamSam (two types of ransomware attacks), but they do need to understand what is at stake. Data breaches can (and have) lead to fines, penalties, legal costs, class settlements and reputational damage running to tens of millions of dollars. Patient safety is also a serious issue. A hospital shut-down due to a ransomware attack, or hackers accessing Internet-connected medical devices, could threaten patient lives. Board members need to understand the scope, likelihood and potential impacts of cybersecurity attacks. Only then will they have the information they need to make informed decisions about budgeting resources to mitigate those risks.
Compliance is necessary, but not sufficient
Many health care organizations focus on compliance with the security and privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA). Although it is very important to have HIPAA-compliant security measures in place, compliance is only one small part of a much bigger information risk management picture. A comprehensive risk management program includes an enterprise-wide analysis of all information assets and exposures. Furthermore, a comprehensive program entails adopting a risk management framework, such as the NIST Cybersecurity Framework, implementing a rigorous process, and adhering to a continuous process improvement mindset. Because the cybersecurity landscape continues to change and evolve, a “once-and-done” process or a simple compliance checklist, is not sufficient to protect an organization.
These are just a few of the topics that were addressed at THA’s inaugural Texas Health Care Security and Technology Conference.
For more information about the conference, visit https://www.tha.org/techconference.
Fernando Martinez, Ph.D., is the senior vice president and chief digital officer of Texas Hospital Association and president/CEO of the Texas Hospital Association Foundation. Bob Chaput is founder and CEO of Clearwater Compliance.
© 2018, TechNation Magazine. Site designed by MD Publishing, Inc.