Whether it’s phishing attacks, malware and ransomware, encryption blind spots, cloud threats or a breach inadvertently triggered by an employee, hospitals and health systems need to be aware of cybersecurity risks that can cause them harm. Failure to detect an attack can cause a hit to the bottom line and credibility among patients.
It’s why the AHA is hosting a series of free training programs on managing cybersecurity in health care. The program, “Leadership Matters: Managing Cybersecurity Risk in Health Care,” is designed for hospital and health system CEOs and their cybersecurity leads. It focuses on leadership behaviors to reduce the likelihood and impact of a cyber event.
“We had a robust discussion of how different organizations have responded to threats,” says Glenn Crotty, M.D., Charleston (W. Va.) Area Medical Center’s (CAMC) executive vice president and chief operating officer. He attended a recent AHA cybersecurity training session in Washington, D.C.
Most helpful was a “terrific discussion about addressing the root causes of these events, and the importance of staff education and training to minimize the likelihood of an attack … the importance of security upgrades and regularly drilling our employees,” he says.
Crotty says surprise breach drills have helped CAMC staff learn how to implement a quick, coordinated response to a breach situation. “Education needs to be triggered to drills,” he says, much like hospitals simulate emergency response drills.
The AHA training for hospital and health system presidents, CEOs, chief operating officers and other executives is an important contribution toward helping the field develop comprehensive cyber strategies, says Chad Wilson, Children’s National Health System’s information security director in Washington, D.C.
A cyber threat is a “technical problem and there is a technical solution,” says Wilson, who also attended the AHA’s training program in Washington. “But it is also a business problem, and it can cripple the business.”
The AHA’s cybersecurity training for hospital and health system leaders is part of the association’s effort to encourage its members to take cybersecurity seriously and incorporate it into a larger risk management program, says AHA Assistance General Counsel Lawrence Hughes.
“Every organization, no matter what its size, can do a great deal to reduce their risk and prevent attacks,” he says.
Wilson says training like that offered by the AHA becomes increasingly important as cyber attacks grow in their sophistication. “We all need a blueprint for how you defend your organization because this is an industrywide problem,” he says.
Crotty and Wilson say it’s a problem that poses unique challenges to hospital and health systems. They say that until health care data security is better resolved, cyber threats not only will continue to keep hospitals and health systems at risk, but can hinder the movement toward greater sharing of patient data among health care entities.
“You have to balance the ease of use and access with the security of the information, as well as the openness of how you share the information,” Wilson says. “That’s a pretty big challenge.”
The AHA has scheduled cybersecurity training programs for hospital and health system leaders for May 18 in Dallas, July 20 in San Francisco and Oct. 26 in Chicago. For more information on the AHA’s training programs and its cybersecurity tools and resources, click here.