Key Takeaways
- Healthcare cybersecurity requires data-driven insights to enhance resilience and patient care.
- Understanding the distinction between disaster recovery and cyber recovery is essential for effective incident management.
- The healthcare sector faces talent shortages in cybersecurity, making recruitment competitive and challenging, particularly for smaller organizations.
Healthcare Cybersecurity as an Ecosystem
In a recent session led by Dr. David Rhew, Microsoft’s global chief medical officer, industry experts discussed the evolving landscape of healthcare cybersecurity. Dr. Jeffrey Tully, co-director of the University of California, San Diego’s Center for Healthcare Cybersecurity, emphasized the need for actionable insights rooted in data, akin to evidence-based medicine practices, to inform cybersecurity efforts.
Tully noted that healthcare organizations must learn from past ransomware attacks to understand their broader impact. For example, a 2021 ransomware incident in a San Diego health system caused regional disruptions, leading to increased patient volumes and longer emergency department wait times. This illustrates that cybersecurity strategies should extend beyond individual institutions to consider the entire healthcare network’s resilience.
John Frushour, Vice President and CISO of NewYork-Presbyterian Hospital, highlighted a critical takeaway from the conference: the distinction between disaster recovery and cyber recovery. Disaster recovery focuses on restoring access for users, while cyber recovery prioritizes ensuring that any attackers have been removed from the network, underscoring the complexity of cybersecurity incidents.
The discussion also included the importance of fostering cybersecurity talent, particularly among women. Frushour advocates for recruiting individuals with general IT experience before they specialize in cybersecurity roles, which can strengthen the field.
Adapting Cybersecurity Strategies in Post-Acute Care
In the context of post-acute care, David Finkelstein, CIO of RiverSpring Living, shared insights into how recent cyber events have reshaped their operational processes. Following an attack that disrupted their electronic health record system via Change Healthcare, the organization reverted to manual processes, significantly affecting cash flow for an extended period.
Highlighting third-party risk management, Finkelstein noted that both small and large organizations have reevaluated their business continuity plans in light of major incidents, such as the CrowdStrike IT outage. Tamra Durfee, a virtual CISO at Fortified Health Security, pointed out the acute shortage of cybersecurity professionals in the healthcare field, exacerbated by a lack of awareness about the importance of cybersecurity in smaller organizations.
Robert “Bob” Latz, CIO of Trinity Rehab Services, added that the competitive job market complicates filling cybersecurity roles. Local hospitals vying for the same talent create challenges in recruitment for smaller organizations.
Finkelstein also recounted his organization’s experiences with a high turnover rate in in-house cybersecurity positions, leading them to transition to a Managed Security Service Provider (MSSP) that delivers round-the-clock monitoring.
Summarizing the discussion, Latz emphasized the need to approach cybersecurity through a human lens, equating cyber safety with patient safety. He encouraged professionals to consider the individuals impacted as they implement cybersecurity measures, advocating for a more personalized approach to this critical and complex issue.
The content above is a summary. For more details, see the source article.
