Building the right cybersecurity defense takes vigilance and robust governance

During a recent HFMA roundtable discussion, healthcare leaders shared tips on how to thwart growing cyber threats.

More than 800 incidents of unsecured healthcare data breaches have been reported over the past two years and are currently being investigated by HHSHHS. As high as these numbers are, the incidents listed reflect just the breaches involving 500 or more individuals. Many smaller healthcare provider organizations have also been targeted for cyberattack, putting patient privacy and healthcare data at risk.

As the frequency and intensity of cyber incidents increase, it is crucial that healthcare organizations implement and maintain a strong and compliant cybersecurity plan.

How to develop such a plan was the subject of an HFMA roundtable discussion entitled, “Cybersecurity compliance – How today’s issues can affect tomorrow’s policy.” Attendees explored healthcare cybersecurity challenges and responses following a data breach; cybersecurity within healthcare revenue cycle management; operational and revenue-related business continuity issues and cybersecurity best practices.

Speakers also looked toward the future, with discussion on how cybersecurity is evolving and how it could affect healthcare compliance.  The following are highlights from the roundtable discussion.

What changes in cybersecurity protocols have you made in response to recent healthcare cyber events?

Desmond Jackson: The biggest challenge we face is one I suspect is true for most organizations: being able to service patients when systems are down due to a cyberattack. When that happens, we pretty much have to rebuild our entire down-time processes.

What happens if we can’t get access to the network? What if we can no longer access the internet and our EHR? How would we update charts and records for our patients?

We went through multiple exercises around what we would do if we had to manually run charts and charge slips to different areas throughout the hospital. This helped us understand what our cyber incident response would look like. It made us become more efficient around a “what-if” scenario. We haven’t perfected our responses by any imagination, but I think we’ve gotten better at what to do in case of an emergency.

James Forrester: My perspective might be a little bit different than the revenue cycle or finance side, but it certainly aligns on a couple of things. We’ve focused a lot on identity verification. When you look at the IBM breach report, for the second year in a row, phishing-compromised credentials are the number one threat.

We place a lot of focus on data security management. We have about 36,000 customers using our systems. An estimated 35% of data that is breached in healthcare is known as “shadow data.” This is data that is not necessarily managed by the enterprise IT team. The point about resiliency cannot be overstated, so we’re really focusing on cybersecurity resiliency, increasing awareness with executive leadership and operations leadership.

Stephen Forney: This started as a bit of a journey for us, going back about three years. We had made some significant changes in our IT service posture. We outsourced our IT department and had a lot of new individuals taking over our systems. They started identifying holes in our security right away and set about a very methodical program for upgrading our processes and our security footprint.

Before the improvements, when we applied for cyber insurance three years ago, it was an ugly event. We had to go through a checklist with the cyber carrier. They asked “Are you doing this? Are you doing that?” My response was, “No, pretty much none of that.” They covered us, but it was expensive.

Fortunately, by the time we went back the next year to renew, we had made enough progress that not only did we get rate reductions, but we also were able to increase our coverage. We continue to make process improvements. We just upgraded our threat detection software across the system, and we moved to mandatory multi-factor authentication for all individuals across the platform. We’re continuing to look at additional ways to harden the system.

How are you communicating with employees about cybersecurity threats and their role in thwarting those threats?

Jeffrey P. Costello: We have quarterly phishing exercises for all of our associates, and we have a three- strikes-and-you’re-out policy relative to failed phishing tests.

We administer our cyber governance through our audit committee and our information security director. Our director provides a quarterly report to the audit committee that includes key indicators such as our internal phishing failed test rate and our National Institute of Standards and Technology (NIST) risk assessment score. We try to ensure we have the highest NIST score possible. I just our last report. We’re at 92%, which is a good score.

Matthew Thomas: I’m the director of practice management at Emerson Health, based in Concord, Massachusetts. I’m an operations guy. We’ve been assessing our downtime procedures. We learned both from the operations side and the security side that there is an opportunity for more communication between the two parties.

There’s always IT security in the background doing all these things to keep the organization safe and protecting assets like applications software. Because these efforts are important for the operations team to understand, we’re creating more touch points between IT and the operations teams.

Over the last four to six months, we’ve identified increased activity of social engineering from threat actors. They are targeting our staff, frontline workers, medical assistants, medical receptionists and builders — impersonating human resources (HR), insurance companies, other providers and practices. We’ve seen a huge increase in that kind of activity. We’re doing more training with staff in response.

Brian T. Kirk: We have about 3,500 employees, and we believe that the chain is only as strong as its weakest link when it comes to cybersecurity.

We know that education and training are paramount to protecting the organization, so we’ve been rolling out a lot of that. We are also taking steps to help employees identify and avoid threats. One of the simple things that our IT department came up with is a phishing alert button in Outlook. If an employee gets a suspected email, they can just hit that button and it automatically isolates the email so that IT security can then investigate it and delete it.

How are you dealing with cybersecurity resources or funding issues given increased attacks against the healthcare industry?

Forney: As we’ve been implementing better practices and better tools, I’ve not found the expense to be significantly more. In some cases, the cost is even less than what we might have been paying in the past. Good processes around cybersecurity tend to be more efficient. They are standardized at that point.

The better products on the market really don’t come at a significant premium. So when we upgrade, we want to make sure we’re upgrading correctly and that our systems are going to be secure. Doing it right is not really any more expensive than doing it wrong.

Jackson: I think we’ve taken a bit of a different approach. We’re less reliant on people, looking at more tools and what vendor partners are offering in the marketplace. We realize that we will never be smarter than those trying to break into the system. We’re investing more in technology that can help us, as opposed to trying to train staff members to address these issues.

Forrester: We treat all of our IT spending as an investment portfolio. In this case, we have an information security strategic plan that we update every six months. We report to our board on what our risk levels are and examine them from a budgeting perspective. We try to quantify our risk posture, and we balance what we’d like to achieve against the reality of, “How much can we really do?”

How do you best deal with third-party vendors when it comes to cybersecurity services or cyber insurance?

Forney: I’ve worked with numerous vendors. Not only are we doing an internal risk assessment, but before a vendor can connect to Epic or get information out of Epic, they have to go through a fairly rigorous process. Questions to be asked include: “Who are you? What are you going to do? How are you going to do it? And what does your risk profile look like?”

Christopher Johnson: Long before we sign any contract, we have an external company that does our security reviews. The potential vendor has to go through that security screening and assessment before we will work with them.

Forney: Another big cost topic is cyber insurance. It’s an amazingly volatile market, depending on what has happened in the past year — not necessarily at your organization, but in the industry. Rates can vary wildly between carriers.

Johnson: There’s a downstream impact of cyber insurance costs. I primarily work with revenue cycle partners on cybersecurity because we exchange so much data. We have had to increase the cybersecurity coverage requirements for any vendor that partners with us. We have run into situations where business partners have said, “We cannot afford to do business with you because we cannot afford the minimum insurance coverage that your organization requires.”

What are the most significant cybersecurity threats today that will impact the healthcare industry going forward?

Jackson: A lot of concern is that it is assumed that the biggest cybersecurity threat is external. In fact, most cybersecurity problems are internal, whether it be someone clicking a suspicious link, whether it be someone plugging into the network some device that shouldn’t be there. Continually educating our caregivers about internal threats is the most critical piece of this whole puzzle.

Kirk: The biggest risk for us would be if we were to lose access to our HR systems due to a ransomware request. We’ve got 400 providers. If we had to go to paper, we’d obviously worry about how long an event like this would last. Then we’d be jeopardizing patient care, because how are we going to communicate? We’re so used to having everything in the EHR — all the alerts, all the information — and if something happens to that paper trail or information contained on paper isn’t communicated appropriately, bad outcomes can happen.

Conclusion

Not surprisingly, cybersecurity issues continue to be a top concern for healthcare providers. A cyberattack not only puts patient data at risk, but can also cripple hospital and healthcare provider systems.

Understanding these threats, roundtable participants discussed the need for improved downtime procedures, enhanced identity verification and increased cybersecurity resiliency. More than one participant highlighted the importance of third-party risk management strategies as well as the role of AI in enhancing security. The importance of board-level support and investment in cybersecurity also was emphasized as critical to a successful cybersecurity defense. With that support, recommended action items included the following:

• Implement mandatory multi-factor authentication for all users accessing the system.
• Establish an AI governance council to oversee the use of AI across the organization and ensure ethical considerations are addressed.
• Conduct regular phishing training exercises and implement a “phishing button” to report suspicious emails.
• Review and update data security agreements with vendors to include specific security control requirements.
• Review and update downtime procedures to ensure the organization can continue providing patient care in a network outage.

By examining cyber defense from multiple angles and developing a proactive approach, healthcare leaders can more effectively protect sensitive data and their organization’s ability to keep downtime and cybersecurity expense to a minimum.

PANELISTS

TRISH RIVARD
moderator, is CEO and principal consultant with Eliciting Insights in Granby, Conn.

JEFFREY P. COSTELLO
is CFO at Beacon Health System, South Bend, Ind.

STEPHEN FORNEY
MBA, CPA, FHFMA, is senior vice president and CFO at Covenant Health in Andover, Mass.

JAMES FORRESTER
is associate vice president, information technology at the University of Rochester Medical Center in Rochester, N.Y.

GREG SURLA
is senior vice president and chief information security officer at Finthrive in Plano, Texas.

DESMOND JACKSON
MBA, DBA, is vice president of revenue cycle management with Monument Health in Rapid City, S.D.

CHRISTOPHER JOHNSON
FHFMA, is vice president patient account services vendor management at Advocate Health in Charlotte, N.C.

BRIAN T. KIRK
FHFMA, MBA, CPA, is CFO at Alaska Native Medical Center in Anchorage, Alaska.

MATTHEW THOMAS
FHFMA, MHA, FACHE, is director of practice management at Emerson Health in Concord, Mass.

About FinThrive

FinThrive is redefining revenue cycle management with innovation and intelligence at its core. Our AI-powered software unifies data and workflows to help healthcare organizations maximize revenue, reduce costs, accelerate cash collections, and maintain regulatory compliance. As one of the most advanced SaaS platforms in healthcare, FinThrive offers a connected, holistic approach to revenue optimization, spanning patient access, charge integrity, claims and contract management, automation, analytics, and education. Today, three out of five U.S. hospitals and health systems trust FinThrive to transform financial performance. Learn more at finthrive.com.

_{This published piece is provided solely for informational purposes. HFMA does not endorse the published material or warrant or guarantee its accuracy. The statements and opinions by participants are those of the participants and not those of HFMA. References to commercial manufacturers, vendors, products, or services that may appear do not constitute endorsements by HFMA}