A high-level guide for hospital and health system senior leaders
The following is an article from the American Hospital Association (By John Riggi, Senior Advisor for Cybersecurity and Risk, American Hospital Association) that talks about cybersecurity and protecting patient safety.
Health care organizations continually face evolving cyberthreats that can put patient safety at risk. That’s why I advise hospital C-suite and other senior leaders not to view cybersecurity as a purely technical issue falling solely under the domain of their IT departments. Rather, it’s critical to view cybersecurity as a patient safety, enterprise risk and strategic priority and instill it into the hospital’s existing enterprise, risk-management, governance and business-continuity framework.
Aligning cybersecurity and patient safety initiatives not only will help your organization protect patient safety and privacy, but will also ensure continuity of effective delivery of high-quality care by mitigating disruptions that can have a negative impact on clinical outcomes.
Why Health Care Gets Hit More
Health care organizations are particularly vulnerable and targeted by cyberattacks because they possess so much information of high monetary and intelligence value to cyber thieves and nation-state actors. The targeted data includes patients’ protected health information (PHI), financial information like credit card and bank account numbers, personally identifying information (PII) such as Social Security numbers, and intellectual property related to medical research and innovation.
In fact, stolen health records may sell up to 10 times or more than stolen credit card numbers on the dark web. Unfortunately, the bad news does not stop there for health care organizations — the cost to remediate a breach in health care is almost three times that of other industries — averaging $408 per stolen health care record versus $148 per stolen non-health record.1
How Cyberattacks Threaten Patient Privacy, Clinical Outcomes and Your Hospital’s Financial Resources
Cyberattacks on electronic health record and other systems also pose a risk to patient privacy because hackers access PHI and other sensitive information. By failing to keep patient records private, your organization could face substantial penalties under HIPAA’s Privacy and Security Rules, as well as potential harm to its reputation within your community.
Most importantly, patient safety and care delivery may also be jeopardized. Losing access to medical records and lifesaving medical devices, such as when a ransomware virus holds them hostage, will deter your ability to effectively care for your patients. Hackers’ access to private patient data not only opens the door for them to steal the information, but also to either intentionally or unintentionally alter the data, which could lead to serious effects on patient health and outcomes.
Another example: Patient outcomes were threatened when Britain’s National Health Service was hit as part of the May 2017 “WannaCry” ransomware attack on computer systems in 150 countries, resulting in ambulances being diverted and surgeries being canceled. Since that time there have been other instances of ambulance diversion orders issued due to ransomware, including here in the U.S. With proper planning and investment, however, it’s possible to mitigate this risk. As I told Congress last July, “The impact of Wannacry on American hospitals and health systems was far less serious, which speaks to the tremendous efforts the field has made to improve cybersecurity and build incident-response capabilities.”
Take Steps to Protect Your Organization
The cyber bad guys spend every waking moment thinking about how to compromise your cybersecurity procedures and controls. The best defense begins with elevating the issue of cyber risk as an enterprise and strategic risk-management issue. If possible, you should also dedicate at least one person full time to lead the information security program, and prioritize that role so that he or she has sufficient authority, status and independence to be effective. Furthermore, you and your team should receive regular updates on your organization’s strategic cyber risk profile and whether adequate measures are dynamically being taken to mitigate the constantly evolving cyber risk.
Finally, the most important defense is to instill a patient safety-focused culture of cybersecurity. This enables health care organizations to leverage their existing culture of patient care to impart a complementary culture of cybersecurity. A culture of cybersecurity, where the staff members view themselves as proactive defenders of patients and their data, will have a tremendous impact in mitigating cyber risk to the organization and to patients.
How ContinuITy™ by The HCI Solution Can Help
ContinuITy™ can be used for planned or unplanned system downtimes and even during full network outages. Carefully honed workflows that strive for excellent patient care and efficiency cannot tolerate any level of system downtime. Finally, there is a MEDITECH downtime system that is familiar to all MEDITECH users, easy to use, secure, and incredibly resilient.
Fill out the below form to request a demo and have one of our experts further explain why ContinuITy™ is an essential part of any healthcare IT system: