No matter how sophisticated an organization’s technical defenses are, human error remains a significant vulnerability.
At the 9th Annual Health IT + Digital Health + Revenue Cycle Conference, several panel sessions focused on cybersecurity and risk management. Health systems are investing in sophisticated technology defenses and partnerships to prevent cybercriminals from disrupting their operations. They're also paying close attention to third party vendor agreements and disaster preparation. But there are still significant risks.
"Guess who your biggest risk is? Your own people," said Zafar Chaudry, MD, senior vice president, chief digital officer and chief AI and information officer at Seattle Children's.
Phishing attacks, where hackers trick employees into clicking malicious links or providing sensitive information, remain one of the most effective ways for attackers to gain access to healthcare systems.Clinicians are especially susceptible.
"Clinical people love clicking on the link that says they’re going to get $10 million transferred to their account… and they do it all the time," Dr. Chaudry said.
The social engineering for phishing emails has become increasingly sophisticated, and health systems have to test their teams. Dr. Chaudry said his security team develops phishing attacks to simulate real attacks and anyone who clicks on them has to take extra training.
"They've caught me at least twice clicking on the link. And not only do they catch me, then they publicize that the guy in charge doesn't know what he's doing and has to take a training course in security," said Dr. Chaudry. "But that's the right thing to do because those hacks are really sophisticated. That is a major problem I worry about because when I don't have access to systems, I'm going to struggle to provide safe care, and a clinician just wants to access the right information at the right time to provide safe care."
At Seattle Children's, as in many healthcare systems, phishing tests are regularly conducted to help staff recognize and avoid these attacks. However, even with regular training, the sophistication of phishing schemes is growing, making it harder to keep up.
On another panel, Matt Morton, assistant vice president and chief information security and privacy officer at University of Chicago, explained that many healthcare workers, especially in high-ranking positions, may inadvertently expose their organizations to risk by not adhering to security protocols.
"What has saved our bacon multiple times is multifactor authentication and making sure that was fully deployed across the entire organization," said Mr. Morton. Some clinicians may try to avoid tighter security because it's an extra step to accessing information, but the health system has to remain vigilant.
"Just because you're a special doctor doesn't mean you get the exemption," said Mr. Morton. "The fact of the matter is those are tough conversations, but that has been a lifesaver."
Mr. Morton approaches these conversations with top physciaisn differently than administrative leaders. For a physician who staked their whole career on research and innovation, he brings examples from other researchers into the mix. Those stories might not be in the news, but they're still important to share.
"They lost their entire life's work from one of those ransomware attacks," said Mr. Morton. "That's usually enough that they're onboard."
Mr. Morton recounted how he often has to have difficult conversations with researchers or medical professionals to help them understand the importance of security measures that may slow down their workflow.
Lisa Stevenson, CNIO of Houston Methodist, echoed Dr. Chaudry's concerns, emphasizing the need for healthcare organizations to be better prepared for cybersecurity incidents.
"Especially with the growing threat, it’s [a matter of] when, not if," Ms. Stevenson said. She stressed the importance of preparing clinicians and other staff for the inevitable, ensuring that they know what to do if a cyber event occurs. "If your entire network goes down, how do you prepare your clinicians to continue to provide safe care?" she asked.
Preparing for the worst-case scenario — a full-scale cyberattack that shuts down a hospital’s systems — was a major focus of the panel discussion. The consensus was clear: most healthcare organizations are not fully ready for such an event.
"I think [cybersecurity] is a big topic and concern," she said. "We have the resources and tools, the paper, the forms, and the processes, but we need to drill those and educate on an ongoing basis."
This preparedness involves more than just technical solutions. There is a need for robust incident response plans, complete with contingencies for when digital systems fail. In the age of EHRs and AI-driven tools, many hospitals and clinics have become so reliant on digital infrastructure that a system failure can bring operations to a grinding halt. Ms. Stevenson pointed out that IT teams should work closely with clinical staff to develop and practice procedures for these scenarios.
"One of the other things we’re doing is redistributing our IT resources to help support the clinicians," Ms. Stevenson said, noting that having IT staff on-site to help during system downtimes is critical to maintaining operations.
Dr. Chaudry added that organizations often overlook simple but crucial aspects of preparedness.
"We didn't order enough paper. We don't have any pens," he said, referencing the basic tools that can keep operations running in the event of a complete network outage. Without these low-tech solutions, even the most sophisticated incident response plan can falter.