[BreachExchange] What hospital CIOs are doing differently in 2020 to combat cyberattacks — it may not be tech related

[Destry Winant]

https://www.beckershospitalreview.com/cybersecurity/what-hospital-cios-are-doing-differently-in-2020-to-combat-cyberattacks-it-may-not-be-tech-related.html

Cyberattacks in the form of ransomware, malware, phishing emails and
other nefarious hacks can result in patient record exposure, locked
patient information, EHR downtime and delay in patient care. Since
2016, there have been 172 individual ransomware attacks on healthcare
organizations affecting 1,446 hospitals, clinics and other
organizations, according to a Comparitech report. The report also
noted 6.6 million patients have been affected by these attacks and
hackers have demanded $16.48 million over the past four years.

The additional expenses associated with ransomware attacks total
around $157 million since 2016, a hefty price tag. In December,
Hackensack (N.J.) Meridian health paid an undisclosed sum to stop a
ransomware attack that caused a two-day shutdown of its computer
system. DCH Health System, a three-hospital system based in
Tuscaloosa, Ala., paid hackers to restore access to its record system
as well last October after diverting patients away from its
facilities.

In February, 500 offices affiliated with Boston Children's reported
their computer systems were shut down in a malware attack. In South
Carolina, patients filed a class-action lawsuit against
Georgetown-based Tidelands Health after the system experienced a
malware attack and clinicians turned to paper records while the IT
network was temporarily offline. The suit claims the health system
violated HIPAA, failed to report the incident to HHS and that at least
one patient was given food items she was allergic to because her
medical records were inaccessible.

The list could go on and on.

"Cyber activity will continue to be a challenge for many years into
the future," said Tom Andriola, vice president and CIO of the
University of California System in Oakland. "I think one of our
biggest shifts is to include an element of proactivity into our
approach, such as threat intelligence, and understanding would-be
attackers as well as continuing to strengthen our defenses to protect,
detect and respond."

CIOs and chief information security officers are charged with
strengthening the organization's defenses against cyberattacks and
implementing the right technologies and upgrades. While some
organizations are investing heavily in new technology, others see a
different weakness that they will address this year.

"We recognize that the mix of technologies in our environment today is
rapidly changing and adding complexity to how we protect ourselves
against cyberattacks," said Phyllis Teater, CIO of the Ohio State
University Wexner Medical Center in Columbus. "With the introduction
of IoT, cloud computing and more sophisticated clinical devices, we
are definitely on guard in more areas than ever before. However, our
focus remains on educating the end user."

Email phishing attacks are a top concern for health systems, and
despite the best efforts to warn employees, the hackers continue to
find success. Last March, Wise Health System in Decatur, Texas,
notified nearly 67,000 patients that their protected information may
have been exposed when multiple employees fell victim to a phishing
attack. Hackers asked employees to disclose their credentials, and
then attempted to reroute payroll direct deposits. The health system
notified patients whose information was stored within those employees'
emails.

In January, Springfield, Ill.-based Hospital Sisters Health System
notified 16,147 patients that employees were a victim of phishing
attacks and patient data may have been exposed.

"[The end user] remains the primary way in which cybercriminals gain
access to our network and information resources," said Ms. Teater.
"This is such a dynamic and difficult to manage space that we must
engage our users by providing advice and education to them on
behaviors that will help keep us safe. In a world of 300 emails and
texts in one day, it is a challenging endeavor to provide the right
amount of information in the right way for it to be consumed by our
community."

Like many organizations, OSUWC uses testing and tabletop exercises to
simulate attacks and identify opportunities for improvement. The
leaders of Wayne HealthCare in Greenville, Ohio, also saw the need for
improved education and enlisted a full-time partner to better protect
the organization and make sure it will be able to recover from an
attack, if one occurs.

"Cybersecurity has always been at the forefront of everything we do
with technology," said Vice President of Information Systems, CIO and
Corporate Compliance Officer at Wayne HealthCare Shelton Monger. "We
have transformed the mindset of our users to healthy skepticism of
unusual email and the need to click or open attachments."

Jeffrey Sturman, senior vice president and CIO of Hollywood,
Fla.-based Memorial Healthcare System, said the system created video
campaigns on cybersecurity topics such as phishing and "what is PHI?"
"We have established a senior executive cybersecurity task force that
meets regularly to discuss topics and determine the proactive measures
we need to put in place," he said.

On the technology side, Bruce Metz, PhD, executive vice president and
CIO of the Accreditation Council for Graduate Medical Education, said
in 2020 the organization will move away from passwords to
biometric-based technology for more secure and convenient access,
coupled with using conditional access tools to apply the right
security controls to the right users and device as the organization
moves to a cloud-based model.

In Sterling, Ill., CIO of CGH Medical Center is also taking a new
technology approach to combat cyberattacks: network segmentation.
"[It's] a nightmare to implement, but it's new table stakes in our
effort to minimize damage from these attacks," he said.