The 'increasing risk' of being a health system IT security leader

Hospital and health system IT security chiefs told Becker's the industry is dealing with increased pressure from ransomware attacks, budget constraints and personal liability concerns.

Their experiences align with a May 9 report from security firm Proofpoint that found those to be among the top concerns of healthcare cybersecurity leaders. According to that survey of 1,600 executives from across the globe, 60 percent feel they're at risk for a material cyberattack in the next 12 months, with half saying they're unprepared for it and 44 percent noting the economic downturn has eaten into their budget.

"A cyber event or attack can happen to any organization at any time. No organization will ever be bulletproof, so the best plan is to focus on preparedness (tabletops exercises and collaboration with business), early detection, response (a robust [incident response] plan) and business continuity," said Steven Ramirez, chief information security officer of Reno, Nev.-based Renown Health.

"In an economic downturn, it's important to remember you can be adaptive in your security approach, as good cybersecurity hygiene isn’t just about the dollars and cents. Doing security basics very well (access management, patching, [two-factor authentication]) can help mitigate attacks."

Sixty-two percent of cyber leaders also say they're worried about personal liability, with 48 percent experiencing burnout in the past year and 42 percent feeling unrealistic expectations about the job, the report found. This comes after the successful prosecution of former Uber security chief Joe Sullivan and Federal Trade Commission action against Drizly CEO James Cory Rellas over data breaches. The Securities and Exchange Commission has also proposed a rule requiring increased cybersecurity accountability among boards of directors.

"The simple fact is that most CISOs report to a C-level executive, and traditional directors and officers insurance may not cover the potential liability for the CISO or head of information security," said Esmond Kane, chief information security officer of Dallas-based Steward Health Care. "Class-action lawsuits, especially over ransomware, are only increasing the risk to CISOs."

Amid the ever-present threat of ransomware that can shut down hospital operations, 52 percent of security chiefs told Proofpoint they would pay ransom and 53 percent said they'd make a cyber insurance claim to cover losses.

"If anything, I suspect the statistic is low, and I believe more than 52 percent would pay — in particular, if they had advice from outside counsel and are working with a professional negotiator-type service," said Jack Kufahl, chief information security officer of Ann Arbor-based Michigan Medicine.

He said there is an impression that meeting the ransom demand will limit data loss or the time a network is offline.

"Unfortunately, the nature of the specific threat actor, their tactics, and the technologically complex environment of any given healthcare company means that the chance of that being true is lower than a lot of what executives and patients may expect," Mr. Kufahl said. "In effect, a company is paying for a chance of faster recovery and one that seems less likely with every new set of actors and variants of attack."

Anahi Santiago, chief information security officer of Newark, Del.-based ChristianaCare, said she also expects personal liability to become a more prevalent issue in the coming years, and that challenges for cyber leaders have grown as patient care has expanded "beyond the four walls of the hospital."

"The pressures on healthcare CISOs are unique as they have patient safety implications," she said. "I also believe that those of us who have chosen to devote our craft to this industry have a passion to advance the field of cybersecurity in this industry."

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.


Featured Whitepapers

Featured Webinars