June 2024: Cybersecurity Essentials for Hospital Leaders

Welcome to the June 2024 edition of The MicroScope, a condensed version of all the content you can expect to see on The Scope. Each month, we'll take a closer look at an advocacy theme or issue that Texas health care leaders should be aware of with commentary from our CEO, John Hawkins and executives from our member hospitals.

This month, we're examining an issue that remains topical in health care: cybersecurity.

The health care sector has increasingly become a prime target for cybercriminals. According to a report from the U.S. Department of Health and Human Services Office for Civil Rights, there was a 278% increase in large breach cyber incidents in health care from 2018 to 2022.

Unlike other highly targeted industries, cyberattacks launched against hospitals pose a real threat to human life and patient safety. These incidents can disable critical systems like electronic medical records, lock access to vital patient data and create operational downtime, forcing hospitals to revert to manual processes that delay care.

As hospitals and health care providers adopt more digital technologies, the attack surface for cyber threats expands, making it imperative for health care leaders to prioritize robust cybersecurity measures as an integral piece of patient care.

From Texas Hospitals ??

Here's how Texas hospital leaders are responding to the trend of cyber threats and incidents in health care:

?"As we continue to move towards a Zero Trust model, preparing for worst case scenarios is key in developing robust incident response plans. And now the new worry is the use of artificial intelligence and machine learning by threat actors in designing even more targeted cybersecurity attacks, making defense more difficult and the counter use of AI and machine learning imperative.”

Ray Davis , Chief Information Officer, University Medical Center of El Paso (UMC)

"Rural and community hospitals are often fighting an uphill battle regarding cybersecurity. Budgetary constraints limit their ability to invest in robust security solutions and dedicated IT staff. This, coupled with the ever-increasing sophistication of cyberattacks, makes them prime targets for ransomware attacks and data breaches.?The good news is that more and more hospital CEOs are recognizing the threat. They are prioritizing cybersecurity investments, collaborating with experts, and fostering a culture of security awareness among staff to lower the risk of a cyber disruption.? The future of healthcare relies on innovation, and that must include innovation around data security."

Brian Doerr , SVP of IT, Security & Privacy, Community Hospital Corporation

"Purposeful and deliberate hospital incident response preparedness exercises are key to reinforcing the fact that avoiding, or minimizing the impact from a cyber incident, is primarily an organizational business risk management concern, not merely an IT responsibility. THA is promoting hospital simulated cyber-incident exercises with full participation from organizational leaders across the enterprise. This level of participation is key to timely and effective incident response and recovery.”

Fernando Martinez , SVP/Chief Strategy Officer, Texas Hospital Association

From the CEO's Desk ???

Change Healthcare Breach is a Sobering Wakeup Call on Cybersecurity

Written by John Hawkins , President/CEO, Texas Hospital Association

It seems that every month, the threat becomes greater and greater for hospitals across the country: the possibility that bad actors can disrupt the hospital’s operations – or effectively bring them to a halt – without the offenders leaving their couch. Read the full article here.

From The Scope ??

Hospitals' Guide to Balancing Internal and External Threat Management

Written by Fernando Martinez , SVP/Chief Strategy Officer, Texas Hospital Association

Protecting an organization’s cybersecurity can be described as a bifurcated strategy that consists of an external or outside view looking in and internal situational awareness. Organizations face resource challenges including an expertly skilled workforce, availability of current technology tools and services, and limited budgets.

Generally, technology is not the mission of the organization but rather serves as the foundation from which all mission services emanate from. As such, the importance of high-performing technology capabilities and the management of organizational risk through strong technology management cannot be overstated. Too often striking a balance between the degree of IT investment (financial, operational, and administrative) and the correlated impact to organizational operational risk, is a matter of chance rather than design.

A critical internal security strategy centers around the real-time detection of imminent threats or successful exploits. External threat strategies center on managing the network perimeter and controls that impact logical access to an organizations network and computing devices. Understanding how such threats emerge and the role that logical and physical network architecture and management has in managing IT security risk is central to developing and implementing successful countermeasures. Continue reading here.

Protecting Patient Data by Preventing Cyber Attacks

Written by INSURICA

The threat of a data breach in a health care facility is daunting. Privacy is the foundation of hospitals’ information systems, and compliance with the Health Insurance Portability and Accountability Act (HIPAA)– along with the facility’s reputation–will be jeopardized if just one patient’s information falls into the wrong hands. Health care facilities are particular targets for two reasons:

• Type of data stored: Health care facilities may keep a patient’s social security number, insurance and financial account data, birth date, name, billing address, and phone number, making them a valuable target for cyber attack.
• Many potential vulnerabilities: Health care facilities are obligated to provide access to several external networks and web applications in order to stay connected with patients, employees, insurers or business partners. The volume of data shared represents a risk.

It is much less costly, both from a financial and reputational point of view, to prevent a cyber breach than to notify individuals and the Department of Health and Human Services of a breach as required by the Health Information Technology for Economic and Clinical Health Act (HITECH). As a result, administration must respond by preventing, detecting and responding to cyber attacks or misuse of patient records through a well-orchestrated cybersecurity program. Read more here.

From Our Partners ??

Apply for THA Insurance Agency's Cyber Protection Program

To help protect hospitals from cyber incidents, THA partnered with Envision Captive Consultants, LLC and the New Mexico and Oklahoma Hospital Associations to build a cyber insurance and risk management program. Learn more and apply here.

For over four decades, THA has partnered with the best companies in the market that provide products and services that address the most pressing issues hospitals face. Here are our vetted cybersecurity partners:

• ActZero : a THA Endorsed Partner, ActZero provides a powerful full-stack cybersecurity solution at a fair price. Learn more about ActZero here.
• Cynerio : a THA Industry Partner, Cynerio secures health care environments by providing device-focused proactive and reactive solutions against common cyber attacks. Learn more about Cynerio here.

From YOU ??

As cybersecurity becomes an increasingly higher priority amongst health care leaders, what are your favorite resources, programs, thought leaders, etc., that help you stay informed about the latest cybersecurity threats and trends in health care. Let us know in the comments below. ??