iatricSystems Shares How Cybersecurity Tools and Resources Can Work Together

Guy McAllister Director Privacy & Security, CISA 405 (d) Task Force Member, Board Secretary/Treasurer of Community Health IT

iatricSystemsTM , Inc.

What cybersecurity best practices would you recommend above all in this current moment and how can technology/IT tools further help in this area?

How would you rank provider organizations’ sophistication levels in being able to properly defend themselves against cyberattacks (1 to 10 scale with 1 being completely unprepared and 10 being extremely advanced in their preparation)?

The level of sophistication related to defending against a cyberattack varies greatly. Smaller provider organizations may struggle to dedicate financial and human resource investments to protect against cyber threats. Larger health sys- tems may be more advantaged with dedi- cated resources. As a result, I would say on average our industry is a 6, trending upward – often by necessity not choice.

What core challenges remain that are holding organizations back from having more advanced and proactive defense strategies? One of the core challenges holding organi- zations back is threats being numerous and ever changing. There is no one-size-fits-all solution to “fix” the problem of defend- ing against attacks. A key area of vul- nerability is remote access in healthcare. While allowing vendors and employees to access hospital networks is a critical part of our daily operations, it remains a chal- lenge. In many organizations, the method of remote access is cobbled together tools attempting to allow access to the network. Therefore, the ability to detect and prevent threats is sometimes non-existent. Remote access monitoring and management must be part of the sophistication of cybersecu- rity preparedness. Organizations need to employ multiple tools to defend against multiple types of threats.

Above all, multi-factor authentication is a must to protect your network from the growing threat of third-party breaches, especially on external access, but prefer- ably for all access. Invest in both dedi- cated resources and cybersecurity tools, then train the people and use the tools. Let tools, like AI work for you to deter- mine behavioral activity and define what is normal and what isn’t. Using technol- ogy first will make your audit managers more effective and efficient. These solu- tions are a must where ePHI is concerned. Monitoring network access without monitoring ePHI access is dangerous and unwise.

Do you feel that cybersecurity professionals are currently empowered enough to drive change throughout their organizations? I believe that the empowerment is evolv- ing. Driving change in many healthcare systems involves physicians and senior leaders (especially CEOs). When I was a CIO, clinicians viewed EMRs as a work- day disruptor. Similarly, today, cybersecu- rity initiatives are often viewed as disrup- tive by clinical care providers because the initiatives involve additional steps and thus viewed as inconvenient. Those orga- nizations that start seeing cybersecurity as a way to protect their patients and their organization versus as an inconvenience will have the empowerment. If the CEO recognizes the pain points of a cyberattack or breach, then cybersecurity profession- als in that organization will be empow- ered to secure and protect. But, if the per- ceived inconvenience of security stirs the special interest groups and the CEO acqui- esces, then cybersecurity professionals in


that organization will ultimately fail to secure and protect.

Another concern senior leaders may have is the required IT cybersecurity spend. After the latest round of EMR replacements and upgrades, cybersecurity may not be at the top of the list for spend- ing. But remember, the cost of recovering from a breach far outweighs investments in cybersecurity protection up front (both in monetary and in reputation).

How do you foresee the next 12 to 24 months playing out in the healthcare cybersecurity landscape? Do you think things will get worse before they get better or do you have a more optimistic view? I agree with CHIME policy experts, who recently said, “A number of health IT-related bills, including those focus- ing on telehealth and cybersecurity, are expected to be introduced by lawmakers next year, but they will likely be stalled in Congress with the upcoming election and the impeachment inquiry…” In the next 12 to 24 months, as consumer frus- trations continue to grow over privacy breaches and as ransomware attacks con- tinue to increase and impact our organi- zations, pressure for Federal regulations will increase and how well an organiza- tion is or is not securing and protecting its data will become more transparent. Intentionality in healthcare cybersecurity will need to step up and improve in the next 12 to 24 months. Patients (consum- ers) will demand it.

Sponsored Content TM

100 Quannapowitt Pkwy., Unit 405 Wakefield, MA 01880

Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28