Like other data-driven organizations, healthcare networks are vulnerable to potentially crippling cyberattacks — but may lag behind other sectors in preparing for and avoiding data breaches, according to a series of articles and commentaries in the fall issue of Frontiers of Health Services Management, an official publication of the American College of Healthcare Executives (ACHE). This journal is published in the Lippincott portfolio by Wolters Kluwer.
“Cyberattacks pose a real threat that all healthcare leaders and boards can and must address with strategic plans of action to prevent vulnerabilities, minimize risk, and respond to incidents when they do occur,” writes Frontiers Editor Trudy Land, FACHE, in an introductory editorial.
The new issue highlights two feature articles in which healthcare executives share their insights and experiences with building an effective cybersecurity strategy to protect valuable but vulnerable healthcare data. Dennis W. Pullin, FACHE, of Virtua health system in Marlton, N.J., emphasizes the importance of process improvements and team culture. At Virtua, “Cybersecurity is a team effort,” Mr. Pullin writes. “From board trustees to frontline employees, everyone is held accountable for protecting the organization against cyberattacks.”
Michael J. Reagin and Michael V. Gentry, FACHE, of Sentara Healthcare in Norfolk, Virginia, discuss the role of enterprise cybersecurity — walking readers through the essential integration of people, process, and technology involved in building a world-class cyber defense program. The authors write, “Partnering with a managed security services provider to build the key components of a program, rather than developing them completely in-house, can reduce costs and provide a higher level of expertise.”
In a commentary, Dane C. Peterson and colleagues of Emory Healthcare in Atlanta point out that the costs of cyberattacks include real risks to patient safety and quality of care. One study reported a significant increase in a hospital’s 30-day mortality rate for acute myocardial infarction, lasting for years after a cyberattack. The authors highlight key components of the cybersecurity strategies outlined by the feature articles:
- Third-party risks – ensuring that vendors are also taking cybersecurity seriously
- Value of multifactor identification in limiting “both the likelihood and impact of data breaches”
- Staff training (and follow-up) in recognizing phishing scans and protecting passwords
- Effective security staffing models, including the importance of internal and external collaboration
- “Cyberleadership” and culture, including engagement of senior leaders in a cybersecurity oversight committee
- Governance and financing challenges, including the role of a Board-level IT committee
Additional commentaries share perspectives from an insurer (Sean P. Murphy, FACHE, of Premera Blue Cross in Washington and Alaska) and a healthcare IT expert (Carla Smith of the Healthcare Information and Management Systems Society, Chicago).
The editors and contributors hope that the cybersecurity-focused issue of Frontiers will increase awareness of the vulnerability to cyberattacks at every level of the healthcare system. “Through organization-wide training, leaders can raise critical security consciousness, explain the various threats, develop and disseminate policies and procedures, emphasize the severe consequences of an attack, and convey shared responsibility,” Trudy Land writes. “In cybersecurity, everyone is a stakeholder.”