Because healthcare is in constant danger, leaders must prepare for the worst.
In his job, Dennis Underwood, MS, often breaks bad news to healthcare organizations. He’s the inventor of a digital security tool called Cyber Crucible, the CEO of its namesake company, and the owner of the managed security services provider Cyber Delivered, meaning he assesses risks facing hospitals and alerts them to breaches. He sees a lot of scaremongering in the healthcare security world—and a lot of fear.
“Fear is never a friend,” Underwood told a crowd last week at the Health IT & Analytics Summit in Baltimore, Maryland. “We want to avoid the emotional response.”
Although data breaches typically bring great stress, healthcare organizations can take steps to prepare for what is an increasingly common cost of handling sensitive patient information in the digital world, Underwood said. But when health systems construct plans for their preemptive and responsive actions, they can rein in the effects of a data breach, he and two industry colleagues said during a panel discussion moderated by Underwood.
Building a security team is not easy, as cyber resources are strained in all industries and competition abounds for top talent. Early in the process, however, a hiring manager must decide whether they want junior or senior employees and the size of the team, said Max Shantar, MS, senior network security engineer for Maryland’s Anne Arundel Medical Center.
His team spans five or so people, a number that he wishes were higher. “So, we have to maximize what we have to get maximum benefit out of these resources,” he said. Each day, they plan which attempted cyberattacks to focus on, targeting those that pose the biggest data breach threats. Two or three people spend their entire day searching for what Shantar called “the needle in the haystack.”
But cybersecurity work can’t end there. Practice drills that simulate a data breach are critical to ensuring the organization and employees in various roles are ready to face disaster. Health systems that don’t prepare in this way tend to be ruled by chaos and emotion when they experience a data breach, Shantar said. “You cannot have chaos during a breach,” he added. “This has to be methodical.”
Healthcare leaders should meet with data privacy and breach experts when crafting any plan, to make sure it includes key legal and regulatory aspects.
Cyber insurance is another key part of the equation, said Mike Volk, MPA, vice president of cyber risk and solutions for the insurer PSA Financial. But prior to any breach, healthcare organizations must install tools that will enable them to understand what they’re dealing with and whether it’s wise to file a claim or pay out of pocket. That means security must look beyond defense and toward detection capabilities, with the ability to assess the severity of a breach.
Stakeholders across and up the organization, from human resources and tech to the executive team, must be involved in internal management planning and response recovery, Volk said.
Finally, in the age of increased healthcare consolidation, business leaders must understand that they inherit security risks with every acquisition, Shantar noted. The board must analyze “cybersecurity debt” just as it would financial debt, being sure to assess risk before a deal is finalized.
When a healthcare organization learns of a data breach, it’s crucial to stick to its game plan and not allow panic to take over. One way to do this is to retain a data breach coach, Volk and Shantar said.
In many cases, a company’s cyber insurance policy gives it free access to a breach coach—a legal professional who understands the language, regulations, and protocols needed to overcome this sort of crisis. Breach coaches may help with navigating government reporting requirements (always overestimate to avoid larger fines, Shantar adds), the insurance process, and even the public response (though a crisis public-relations firm may be necessary).
“Having been through several incidents and having used breach coaches, it’s always better to engage them,” Shantar said.
Affected health systems might also consider contracting an outside forensics team to determine what happened, how it happened, its effects on data, and more. This is especially true if the entity is working with limited in-house security resources, who must work to contain the breach, so it doesn’t spread throughout the organization, Volk said.
By now, nearly everyone in healthcare knows that the industry is among the most vulnerable in terms of cyberattacks. By some measures, it has taken the worst beating of any industry at the hands of hackers and ransomware. And that’s why healthcare leaders must take cybersecurity defenses, threat detection, and incident response seriously.
But experts conceded that it’s possible any plan will not hold up during a moment of crisis. “You can prepare a fantastic plan—most likely it will get blow out of the water immediately—but at least you planned and at least you practiced, so you’re not winging it step by step,” Volk said.
Get the best insights in healthcare analytics directly to your inbox.