By the EHRA Privacy & Security Workgroup

For many C level executives in a healthcare organization, cybersecurity equates to risk of a cyberattack that results in a Health Insurance Portability and Accountability Act (HIPAA) breach and fine. 

The bigger risk posed by a cyberattack, however, is to patient safety. If you get anything from this blog post, it should be this: Cybersecurity incidents affect more than HIPAA compliance, and should be treated as a patient safety risk. 

By categorizing cyberattacks as a patient safety risk, it escalates the importance of cybersecurity as more than mitigating a potential HIPAA fine.

WannaCry 

We all heard about the WannaCry ransomware attack in May 2017. That cyberattack affected computers running Microsoft operating systems worldwide; more than 200,000 computers in over 150 countries were infected with malware. National Health Service hospitals in England and Scotland were thrown into crisis mode when as many as 70,000 computers, MRI scanners, blood-storage machines, and other operating room equipment were infected. 19,000 patient appointments were cancelled.

News reports put the cost of that cyberattack to the NHS at £92 million. Fortunately, there is no evidence that any patients died as a direct result of Wanna Cry, but with diagnostic equipment out of commission and computer systems on lockdown, WannaCry could easily have evolved into a catastrophic patient safety issue costing far more to the HCOs than a HIPAA fine. Imagine: 

• A patient not getting a critical test or scan due to unavailability of diagnostic equipment
• A doctor making a treatment plan without the aid of a patient’s complete medical record
• A critical medical device not functioning properly in the middle of a surgery

These all happened during the WannaCry cyberattack, and they’re not unfamiliar to medical practices and organizations that faced their own crises when their computer systems were infected by malicious hackers. 

For some organizations, cybersecurity threats have even become an existential risk —  that is, the financial viability of the organization is put into question, potentially leaving patients with few accessible options for care.

The C level needs to be directly involved. This is not simply an IT issue. Strong leadership is necessary. The former CEO of Visa, Charles Scharf, made an important point in the foreword of “Navigating the Digital Age”:

“Don’t leave the details to others. Active, hands-on engagement by the executive team and the board is required. The risk is existential. Nothing is more important. Your involvement will produce better results as well as make sure the whole organization understands just how important the issue is.

“…Cybersecurity needs to be part of the fabric of every company and every industry, integrated into every business process and every employee action. And it begins and ends at the top. It is job number one.”

Making Cybersecurity a Priority

So how should C Suite healthcare executives address this patient safety concern? Here are four key pillars of any healthcare cybersecurity strategy:

• Invest in a security team. If you don’t have one already, you need a CISO (Chief Information Security Officer) who can establish and maintain the strategy and enterprise vision for your IT infrastructure. They will need a team of security professionals and those professionals will need training. A recent study found a gap of almost 3 million cybersecurity jobs globally, so the likelihood is that you will need to train good security professionals yourselves.

• Adopt a Framework. Be sure your security team employs a risk-based privacy and security framework based on the NIST Cybersecurity Framework.

• Participate in an Information Sharing Organization — There are a variety of cybersecurity information sharing groups, including many specific to the health sector. Some of these organizations include the Health Information Sharing and Analysis Center (H-ISAC), InfraGard, and the Cyber Health Working Group. Participation is an important way for healthcare organizations and vendors to stay on top of current cyber threats and prepare for the future. The EHR Association encourages our member organizations to engage with these groups, and to share relevant security and privacy information with customers, including security advisories related to our products, recent trends, and best practices.

• Train your staff. Make sure every employee understands their role in keeping patient information safe. From simple steps like using good password protocol and logging out every time they step away from their monitor, to being alert for phishing scams, an aware and vigilant staff can protect your organization from many attempted hacks. 

Excellent patient care is at the core of why we’re in healthcare. Don’t overlook the patient safety hazards of not prioritizing cybersecurity.