The following is an article from the American Hospital Association (By John Riggi, Senior Advisor for Cybersecurity and Risk, American Hospital Association) that talks about cybersecurity and protecting patient safety.
Health care organizations continually face evolving cyberthreats that can put patient safety at risk. That’s why I advise hospital C-suite and other senior leaders not to view cybersecurity as a purely technical issue falling solely under the domain of their IT departments. Rather, it’s critical to view cybersecurity as a patient safety, enterprise risk and strategic priority and instill it into the hospital’s existing enterprise, risk-management, governance and business-continuity framework.
Aligning cybersecurity and patient safety initiatives not only will help your organization protect patient safety and privacy, but will also ensure continuity of effective delivery of high-quality care by mitigating disruptions that can have a negative impact on clinical outcomes.
Why Health Care Gets Hit More
Health care organizations are particularly vulnerable and targeted by cyberattacks because they possess so much information of high monetary and intelligence value to cyber thieves and nation-state actors. The targeted data includes patients’ protected health information (PHI), financial information like credit card and bank account numbers, personally identifying information (PII) such as Social Security numbers, and intellectual property related to medical research and innovation.
In fact, stolen health records may sell up to 10 times or more than stolen credit card numbers on the dark web. Unfortunately, the bad news does not stop there for health care organizations — the cost to remediate a breach in health care is almost three times that of other industries — averaging $408 per stolen health care record versus $148 per stolen non-health record.1
How Cyberattacks Threaten Patient Privacy, Clinical Outcomes and Your Hospital’s Financial Resources
Cyberattacks on electronic health record and other systems also pose a risk to patient privacy because hackers access PHI and other sensitive information. By failing to keep patient records private, your organization could face substantial penalties under HIPAA’s Privacy and Security Rules, as well as potential harm to its reputation within your community.
Most importantly, patient safety and care delivery may also be jeopardized. Losing access to medical records and lifesaving medical devices, such as when a ransomware virus holds them hostage, will deter your ability to effectively care for your patients. Hackers’ access to private patient data not only opens the door for them to steal the information, but also to either intentionally or unintentionally alter the data, which could lead to serious effects on patient health and outcomes.
Another example: Patient outcomes were threatened when Britain’s National Health Service was hit as part of the May 2017 “WannaCry” ransomware attack on computer systems in 150 countries, resulting in ambulances being diverted and surgeries being canceled. Since that time there have been other instances of ambulance diversion orders issued due to ransomware, including here in the U.S. With proper planning and investment, however, it’s possible to mitigate this risk. As I told Congress last July, “The impact of Wannacry on American hospitals and health systems was far less serious, which speaks to the tremendous efforts the field has made to improve cybersecurity and build incident-response capabilities.”
Take Steps to Protect Your Organization
The cyber bad guys spend every waking moment thinking about how to compromise your cybersecurity procedures and controls. The best defense begins with elevating the issue of cyber risk as an enterprise and strategic risk-management issue. If possible, you should also dedicate at least one person full time to lead the information security program, and prioritize that role so that he or she has sufficient authority, status and independence to be effective. Furthermore, you and your team should receive regular updates on your organization’s strategic cyber risk profile and whether adequate measures are dynamically being taken to mitigate the constantly evolving cyber risk.
Finally, the most important defense is to instill a patient safety-focused culture of cybersecurity. This enables health care organizations to leverage their existing culture of patient care to impart a complementary culture of cybersecurity. A culture of cybersecurity, where the staff members view themselves as proactive defenders of patients and their data, will have a tremendous impact in mitigating cyber risk to the organization and to patients.
How ContinuITy™ by The HCI Solution Can Help
ContinuITy™ can be used for planned or unplanned system downtimes and even during full network outages. Carefully honed workflows that strive for excellent patient care and efficiency cannot tolerate any level of system downtime. Finally, there is a MEDITECH downtime system that is familiar to all MEDITECH users, easy to use, secure, and incredibly resilient.
Fill out the below form to request a demo and have one of our experts further explain why ContinuITy™ is an essential part of any healthcare IT system:
The following is an article from Health IT Security (by xtelligent HEALTHCARE MEDIA) that talks about how to protect your healthcare IT system from an array of threats to your operation.
Whether it’s a ransomware attack or a tornado, hospitals and health systems must be able to maintain business continuity through a crisis. Both natural and human-made threats have the power to disrupt workflows, and with patient care on the line, healthcare organizations cannot afford to lose access to critical data and systems.
While incident recovery plans are required by HIPAA and are crucial to restoring operations, they only address specific symptoms of a larger underlying need: enterprise resilience.
Healthcare organizations can better prepare themselves to withstand disasters by assessing the current threat landscape and focusing on business continuity and resilience rather than just recovery. Leveraging cloud technology can also reduce the burden on healthcare organizations to manage these threats independently, providing trustworthy solutions to protect critical data.
The Current Threat Landscape
Threats to business continuity can come in many forms. From California wildfires to flooding in the Carolinas, unforeseen natural hazards can leave organizations with full ICUs and limited access to critical on-premises data.
At the same time, bad actors have launched cyberattacks against health IT infrastructure — taking systems offline and disrupting day-to-day operations. Beyond external cyber threats, poor employee cyber hygiene may invite phishing scams and endanger even the most robust security architectures.
Healthcare records are worth up to $250 per record on the black market, compared to just $5.40 for payment card information, the next highest value record, SecureLink found. In fact, of all critical infrastructure sectors, the healthcare sector faced the most ransomware attacks in 2021, the FBI’s Internet Crime Complaint Center (IC3) observed in a recent report.
And, HHS recently issued a brief to warn organizations of increased EHR security risks in light of recent cyberattacks. The brief recommended that organizations implement technical safeguards and heighten their cyber resilience to combat these threats.
Healthcare Has a Resilience Problem
But Hector Rodriguez, executive security advisor, WWPS health and life sciences at AWS, suggested that focusing on one problem at a time means missing an opportunity to look at your framework, architecture, and solutions to address the concept of resiliency holistically.
“By treating each of those symptoms one at a time, you are not treating the real issue, which is a lack of resiliency. It’s important that organizations measure how resilient they are at an enterprise level, not just at an individual application, department, or building level,” Rodriguez said.
“This means reevaluating people, tools, and documentation policies and procedures and making sure they’re connected.”
Tips For Achieving Enterprise Resilience
Research conducted by the Boston Consulting Group (BCG) Henderson Institute suggested that organizations build a resilient business model based on principles of biology. Resilient biological systems exhibit six characteristics: redundancy, heterogeneity, modularity, adaptation, prudence, and embeddedness. These characteristics can be applied to businesses to help them maintain resilience by adapting to unexpected events and optimizing efficiency.
Enterprise resilience requires organizations to take a holistic approach to security and safety. They must examine resilience in the supply chain, among employees, within applications, and even within data storage.
“You must leverage newer technologies for immutable data backups and encryption,” Rodriguez advised. “The goal here is availability. If I lose access to my medical record, pharma system, or supply chain system, I will have trouble running a hospital.”
Cloud technology is one of the many tools that can help organizations achieve enterprise resilience and mitigate risk. Cloud adoption may not only allow for quicker recovery but may also reduce the risk of ransomware and data breaches. Rather than a hospital dealing with on-premises patching, cloud vendors patch and update behind the scenes, reducing the risk of out-of-date systems allowing for cyber-attacks.
In addition to cloud technology, comprehensive disaster recovery and incident response plans, including practicing for an event, can help healthcare organizations maintain patient safety and prevent further damage in the face of more predictable human-made and natural threats.
Additionally, enterprise resilience strategies go beyond standard IT disaster recovery by also addressing people and processes. People resiliency requires regular training and tabletop exercises. Every individual within an organization has a role in disaster recovery, and those roles should be clearly defined and should be practiced regularly. In fact, this is the place to start – modern security awareness training is key to building a resilient organization.
Data and application resiliency is also particularly vital to healthcare due to the sector’s reliance on EHR systems. When an organization loses access to its network, patient information may be completely inaccessible.
“A resilient strategy is designed to enable you to bounce back from anything that happens in your organization,” Rodriguez explained. “When you are more resilient, you can handle just about any disaster thrown at you, and you can also maintain highly available systems and capabilities.”
Rather than strictly safeguarding against and preparing for predictable threats, healthcare organizations should shift their focus toward attaining enterprise resilience to ensure data security and business continuity.
“We need to stop solving problems in the past. We need to design for the future. And that’s what this is about,” Rodriguez emphasized. “Let’s design a more resilient industry overall.”
How ContinuITy™ by The HCI Solution Can Help
ContinuITy™ can be used for planned or unplanned system downtimes and even during full network outages. Carefully honed workflows that strive for excellent patient care and efficiency cannot tolerate any level of system downtime. Finally, there is a MEDITECH downtime system that is familiar to all MEDITECH users, easy to use, secure, and incredibly resilient.
Fill out the below form to request a demo and have one of our experts further explain why ContinuITy™ is an essential part of any heathcare IT system: