From the October 2022 issue of HealthCare Business News magazine
By Matt Murren
Cybersecurity threats to healthcare operations range from infamous ransomware programs like WannaCry to health system shutdowns due to infected emails to denial-of-service attacks, all of which interrupt continuity of patient care. The financial implications of these interruptions are massive. For over a decade, healthcare has been paying more than any other industry in the U.S. for data breaches, reaching an average of $9.23 million per incident in 2021.
How well is your private practice, ambulatory care center, or hospital currently defending against these threats? And once an attack occurs, how prepared are you to respond?
1. Do you have an updated map of your systems and their vulnerabilities?
To map a clinic or hospital’s operational systems and points of vulnerability, thinking beyond the EMS and billing/payment platform is crucial. For instance, Internet of Things (IoT) capabilities and remote technologies for patients hold great benefits for workflow and patient-centric care, but they also open up their organizations to new cybersecurity risks. Practices and hospitals may not immediately think of all of these tie-ins when they consider their obligation to protect patient and organizational data.
Every institution, from single-facility clinics to multisite health systems, should bring together experts from across the organization to prepare what’s called a “matrix of criticality”—a document that lists all of the systems used in normal business operations, including those governing the physical facility, and ranks them in terms of necessity and potential harm if compromised.
Understanding how various systems affect patient care is one goal of this interdisciplinary exercise; another is determining who uses each system so that they can be notified of alternative or failover systems in the case of an outage. A final goal is to identify who is responsible for securing these systems before a breach—and during recovery.
2. Are you keeping up with security updates?
Along with a map of its systems, organizations must get a clear sense of their capacity to protect them. If in-house IT personnel is too busy with daily tasks to keep up with the patches and security fixes issued intermittently by system manufacturers, the organization may need to enlist external resources to do so.
While monitoring vendor sites for system updates will help protect systems from attack, there are also measures practices can take before they bring on new technologies or add-ons to help lessen the burden on in-house IT. Contracts with new vendors can include expectations for the vendor’s ongoing security monitoring and compliance, for example. Contracts can also include provisions about shared liability in the event of a breach.