By Kate Pierce, CIO/CISO, North Country Hospital
I’m sure you’ve heard the expression, “We’re all in this together.” Unfortunately, this sentiment has never been more accurate than when speaking about your healthcare organization’s information security. In today’s environment, having a culture of security within your organization is a must. 2021 was an historical year in both the increased use of technology in the healthcare setting, as well as the increased number of cyberattacks that have crippled organizations, and 2022 is along the same upward trajectory so far.
COVID-19 brought with it many new digital tools to help address a variety of needs that arose seemingly overnight; an extensive telehealth usage increase, a large percentage of workforce moved to remote settings, and reporting and dashboards became essential tools for providing up-to-the-minute insight. These were among some of the top technology expansions, although there were many more. Along with this technology boom, cyber attacks grew exponentially, negatively affecting patient care, consuming scarce organizational resources, and skyrocketing costs for affected organizations. These increased attacks were especially impactful during a period with unprecedented staffing shortages, increased hospitalization rates, and constantly changing requirements.
It is clearly evident that healthcare’s typical approach of ‘the responsibility for preventing these cyberattacks lies solely within organizational IT and security teams’ is no longer adequate. While these teams do have a large role in ensuring that everything ‘technically’ possible is being done to lower risk and mitigate adverse outcomes from cyber attacks, our employees remain are our greatest risk. In fact, every single person in the organization has a role to play in the prevention of attacks, as well as the response.
It is also important to note that, while the cyber attacks have grown significantly over the past few years, there have been a wide variety of results from these attacks, with a marked difference in the amount of downtime, the overall costs, and the negative impact inflicted. For example, in 2020, a top healthcare organization had nearly six weeks of downtime, resulting in a reported $63 million in costs, while other organizations had minimal downtime, and little monetary impact. This highlights the difference seen between a well-prepared healthcare system experiencing an inevitable attack and an unprepared organization. An organization with a strong security culture responds quickly, decisively, and in a well-rehearsed, organized manner. In contrast, an unprepared organization can experience results that are absolutely devastating, sometimes even leading to closure.
While an organizational security culture takes time to build, you can start today by developing a strategy, building consistency across the organization, and being fully engaged with making security a system-wide priority.
The overall cost of a cyberattack goes beyond just the immediate financial loss, and includes the risk of reputational harm to the organization, the possible negative impact on patients’ lives, and even cost increases for cyber insurance policy premiums. With the sharp rise in attacks, cyber Insurers are now evaluating organizational cyber posture, including technical controls, educational programs, and incident response training as key components to their renewals. Some insurers are even scanning organizations’ networks and providing reports to their customers to assist with improving their security posture.
In addition, with the marked escalation in cyber threats with the Russia–Ukraine war in recent weeks, it is even more imperative that healthcare organizations embrace a culture of security by sharing information with their staff regarding the constantly evolving threat landscape and how to identify potential threats. No longer is security a once-a-year, one-hour training session for staff. Instead, security now involves sharing continual insights and education to ensure that staff are aware, constantly vigilant, and fully understand how to respond when an attack occurs.
While most facilities fall somewhere in the middle of the cyber preparedness spectrum, it is imperative that organizations change their approach to security by creating an organization-wide culture that recognizes the importance of information security, and embraces security controls. This is the key to keeping bad actors out of our networks, as well as controlling the spiraling costs of security.
An organizational security culture takes time to build, but it can be achieved by developing a strategy, building consistency across the organization, and being fully engaged with making security a system-wide priority. Strong security training during onboarding for new staff, ongoing security education, incident response training, and active phishing testing are key components to creating the security culture. In addition, there must be active engagement in security protocols across the board, with every individual understanding their contribution to the overall security of the organization’s information.
The good news is that you don’t have to do this alone. There are a growing number of federal and state resources available for healthcare organizations to leverage, and most are free. For example, CISA has teams available to assist healthcare organizations in improving security. The FBI has trained regional cyber security experts for organizations to partner with on security enhancements, and there are state and local security organizations. In addition, there are a number of new grants available to healthcare organizations to help defray the cost of implementing a robust security program. While the threats are growing, so are the resources.
With today’s high-technology healthcare environment, it’s important that healthcare facilities begin adopting a culture of security across the entire organization now! While strong technical security controls are a necessity for every security program, building a culture of security must be at the center of the strategy. How your organization responds to the inevitable attack can be a matter of life and death for your patients, and your facility. Are you ready?