Healthcare is not immune to the threat of cyberattacks in today’s technology-driven world. Hospitals and health systems are vulnerable, and the risks seem to increase daily. Aggressive data breaches, malware, and ransomware can cripple an organization.
The good news is that innovation in healthcare is growing exponentially; the bad news is that innovation often creates more opportunities for cyberattackers who see health data as a valuable commodity. Unfortunately, healthcare lags behind other sectors in preparing for and avoiding attacks.
As the articles and commentaries in this issue of Frontiers of Health Services Management attest, any organization can be a target of sophisticated attackers. They find smart devices, mobile apps, and wearables connected to the information technology (IT) infrastructure especially inviting. Phishing is a common way attackers breach systems through e-mailed links that hook unsuspecting staff, and everyone in an organization must be educated about the risk. Through organization-wide training, leaders can raise critical security consciousness, explain the various threats, develop and disseminate policies and procedures, emphasize the severe consequences of an attack, and convey shared responsibility. In cybersecurity, everyone is a stakeholder.
A risk assessment of IT, mobile and medical devices, and all systems across the continuum of care is an important initial step. Although many healthcare leaders identify cybersecurity as a pressing concern, they may not always ensure that necessary financial and human resources are allocated to meet the risks, which leaves their organizations vulnerable. Funding to prevent attacks must be sufficient because not being prepared can be even more costly.
Feature article author Dennis W. Pullin, FACHE, provides a comprehensive review of the issue and shares specific tactics to mitigate risk and protect patients, employees, and other stakeholders. As president and CEO of Virtua, one of New Jersey’s largest nonprofit health systems, he has overseen organization-wide education and awareness, incorporated data security into the strategic plan and culture, and added an IT committee to the board. Pullin writes, “Through my own communication and governance, I uphold the seminal medical ethic of ‘do no harm.’ The communication and governance practices we have established around cybersecurity embrace that profound medical ethic.”
In their feature article, Michael J. Reagin and Michael V. Gentry, FACHE, discuss three primary elements of the cybersecurity program at Sentara Healthcare in Virginia: people, process, and technology. These focal points cover engagement of all leaders and board members, multidisciplinary participation, a sound security framework, the right people and technology, education, and partnerships. The authors provide guidance for leaders to use in their organizations, declaring, “Cybersecurity is no longer an option or an afterthought—it is a strategic asset that every organization must address, especially in healthcare.”
Commentators Dane C. Peterson, Anne Adams, Sheila Sanders, and Brad Sanford of Emory Healthcare in Atlanta emphasize the costs of a breach and business partner risk; the importance of multifactor authentication, education, leadership, and culture; and the value of membership in the National Health Information Sharing and Analysis Center. “Protecting a health system’s patients, employees, and assets from cyber threats and cyber risks should be a priority for all leaders,” they write.
Bringing an insurer’s perspective, commentator Sean P. Murphy, FACHE, of Premera Blue Cross in Washington and Alaska suggests that organizations “are moving in the right direction” when they recognize cybersecurity as a critical strategic asset. He underscores the importance of a comprehensive enterprise cybersecurity program, starting with the involvement of the CEO and governing board.
Commentator Carla Smith, executive vice president of the Healthcare Information and Management Systems Society in Chicago, explains how leaders can support the task at hand and why they should support it. “The patients they serve, the clinicians they rely on, the sustainability of their healthcare organizations, and the communities they live in all depend on their leadership in cyber readiness,” Smith notes.
As all the authors contributing their expertise to this issue of Frontiers of Health Services Management make clear, the potential costs of privacy breaches, penalties, and damage to reputations are significant. Cyberattacks pose a real threat that all healthcare leaders and boards can and must address with strategic plans of action to prevent vulnerabilities, minimize risk, and respond to incidents when they do occur.