Chief information security officers are seeing their roles elevate as hospitals renew focus on cybersecurity and ransomware attack prevention.
In the last year, Nashville, Tenn.-based HCA Healthcare suffered a significant data breach affecting 11 million patients. Lehigh Valley Health Network in Allentown, Pa., was attacked by a Russian ransomware gang and St. Louis-based Ascension continues to recover from a ransomware attack in early May.
Third-party vendors are also being hit, most notably Change Healthcare, part of Optum, suffered a large-scale cyberattack earlier this year disrupting the company's payment processing for hospitals across the U.S. Hospitals and physician practices struggled to find solutions for payment processing while Change revived its network, and millions of patients' data was exposed during the attack.
All C-suite executives are watching the attacks unfold and taking the necessary (and costly) precautions to avoid falling victim. They are also relying more on CISOs to become part of the strategic planning for overall health and viability of the organization.
Splunk's CISO report said 86% of respondents felt like they had a "different job" because of how the role has evolved from a technical role to a business leader. The report also noted around 47% of CISOs now report directly to the CEO and can have a bigger influence with the leadership and board of directors.
Many organizations believe it's a matter of when, not if, they will be hit by a cyberattack. And then they have to respond.
"We're not really able to actively mitigate threats so much as react to them very, very quickly," said Aarom Wiseman, CISO of Main Line Health, on an episode of the "Becker's Healthcare Podcast" hosted by Molly Gamble. "Some of the more successful CISOs are able to do that at scale continually and keep their organizations safe as long as they can. There's also an element of being able to plan for that downtime and figure out, once our organization is hit with ransomware, how do I make sure I promote my confidence in my ability to respond to that throughout the organization."
It takes collaboration across the organization and being able to explain security concepts to clinical and administrative staff. Those communication skills are essential so CISOs can convince their team cybersecurity best practices are a patient safety and patient dignity issue, not just a technology issue, said Mr. Wiseman.
There is also more collaboration among cybersecurity leaders and teams to spread learnings for cybersecurity recovery. Being able to network and leverage those connection points will prepare CISOs and their organizations for what happens after the attack.
"There's a lot more what I consider shared therapy sessions around [ransomware attacks] where folks come together and talk about this horrible shared plight, the threat of ransomware attacks and how health systems are organizing around that," said Mr. Wiseman. "Healthcare, fortunately, has had, through HIPAA, this longstanding obligation to report healthcare breaches and breaches of protected health information. Some health systems now have the added difficulty of responding to SEC regulations and having to report under much tighter timelines. I think it's becoming a lot more complex, but it's also driving a lot more collaboration within the healthcare industry."
Renton, Wash.-based Providence has also been elevating cybersecurity operations by developing a global IT enterprise. The health system has employees in India to support the system's cybersecurity efforts during evening hours in the U.S. The move has had a big strategic impact on Providence's team, and staff satisfaction is up because the team doesn't need to take night shifts.
"Cybersecurity is a cost center for an organization, and there is a fine balance that you have to walk between pouring more money and resources into solving cybersecurity as a problem space. What are the risks? What's the dollar value of the risks that you're solving for?" said Mr. Zoller on an episode of the "Becker's Healthcare Podcast" hosted by Laura Dyrda. "Every dollar that you spend on security is a dollar you take away from patient care in some fashion or take away from innovation or from reducing technology or process debt."