There was no question as to what was the most pertinent topic at ViVE 2024. Just days before the conference kicked off, a massive cyberattack targeted Change Healthcare, a unit of UnitedHealth. For the leaders who have been working tirelessly to increase awareness around cybersecurity and develop better strategies to protect data — and more importantly, patients — the timing was ideal.
According to Greg Garcia, Executive Director at Health Sector Coordinating Council (HSCC), the wide-ranging and long-term ramifications of the breach will help further drive the need for action. “We have to take this seriously, he said during a discussion with Erik Decker (VP & CISO, Intermountain Health), Chris Tyberg (CISO, Abbott and Vice-Chair), Linda Ricci (Deputy Director, Office of Strategic Partnerships and Technology Innovation, FDA) and Brian Mazanec (Deputy Assistant Secretary, Office of Security, Intelligence, and Information Management, HHS). “We’ve spent the last five years developing a series of best practices and guidelines, but now we need to look forward.”
It’s precisely what the Health Sector Coordinating Council aimed to accomplish through its Health Industry Cybersecurity Strategic Plan, which was unveiled at the event, held Feb. 25-28 in Los Angeles, Calif. Designed as “a formulary for how the industry can upgrade its security and resiliency prognosis from critical to stable,” the plan identifies the most pressing cybersecurity challenges and outlines steps to prepare for the possibility of an attack.
It’s a possibility that’s becoming more and more likely, said Garcia, pointing out that HIPAA breaches have nearly doubled since 2018, and that 141 hospitals were hit by ransomware in 2023 alone. The average cost of these incidents was $1.5 million — even more damaging, however, was the impact on patient safety. “If you’re unlucky enough to be in the hospital when a ransomware attack occurs, the risk of dying goes up,” he added. “That’s not hyperbole. The imperative to address this has never been more urgent.”
A 5-year plan
The ‘why,’ clearly, was obvious; the ‘how’ was a bit more complex. But there was one point the authors established right upfront: the strategy needed to reflect where the industry is going, according to Ricci. “We didn’t want to develop a five-year plan that’s focused on a healthcare system from 10 years ago,” she said. As a result, trends like AI and mergers and acquisitions were incorporated into the strategy. “We want this to be forward-looking and strategic.”
Achieving that also meant including not just provider organizations in the discussion, but representatives from vendor companies, health plans, pharmaceutical companies, and government agencies. “We needed it to be all-hands-on-deck,” said Ricci. “We wanted to create this plan for everybody.”
Decker concurred, noting that incorporating different voices is critical in ensuring the needs of an “incredibly diverse sector” are being met. “We’re all different organizations, but this is a very common thread we’re all trying to pull together.”
That thread, according to Ricci? “Cyber safety is patient safety,” she said. “We’re here for the patient, and it’s important to recognize that in all we do.”
Appropriately, the first of the 12 cybersecurity objectives outlined in the strategy centers around ensuring that care delivery services are user-friendly, accessible, secure, and compliant, noted Decker, also co-chair of the 405(d) Task Group. Other key areas of focus include third-party risk management, cybersecurity education and certification, ensuring the safety of emerging technologies, privacy standards to promote ethical data practices, and resources for small and rural organizations (HSCC).
“We want to make sure that our delivery services are secure, safe, and appropriate to our patients and our health plan members at Intermountain,” he added. “We constantly have to be thinking about that.”
“Choke points”
Of course, it’s not just about protecting patients at one particular organization, he added, noting that collaboration among health systems — along with participation across the industry — is vital to ensuring the success of the plan. “It’s a great opportunity for engagement and for feedback,” Decker stated. “When it comes to mobilization, the key here is that this isn’t the cybersecurity working group’s strategic plan. It’s not the government’s strategic plan, and it’s not an individual organization’s strategic plan. It’s all three of those things.”
And that means it’s not just CISOs and other health system leaders who need to be involved, but also people like Ricci, Tyberg, and Mazanec.
“We need to work with our government partners to do a systemic risk analysis,” he stated. “We have to get to those critical choke points.”
The more information organizations have and are able to share, the less likely that another sentinel event will occur — or if it does occur, the less damaging it will be.
“We have to do this in partnership so that we can dive in, filter through the noise, and really understand the clinical, financial, and business side of the impact,” Decker said. “We need to contemplate this as an industry and support it as an industry.”
One way to do that is by signing a pledge to embrace the principles of the Strategic Plan, according to the panelists, and help move toward the ultimate goal of stabilization. “That’s the vision we have for the future,” said Tyberg. “That’s what we want this to look like in 2029.”
Share Your Thoughts
You must be logged in to post a comment.