Last year, 38% of health system leaders responding to a Bain & Company and KLAS survey about digital priorities said IT infrastructure and services including cybersecurity were in their top three priorities. Nineteen percent of respondents said they were increasing cybersecurity professional and managed services spending after the Change Healthcare attack last year, and 38% said they were increasing cybersecurity software spend.
“As an organization, as an industry, we have to continue to focus on cybersecurity,” said Luis Taveras, senior vice president and CIO of Jefferson Health, during an episode of the “Becker’s Healthcare Podcast.” “I have to make sure that every day I wake up and feel very comfortable that I’m doing the best possible to protect this organization. That’s my primary job right now: to protect the organization against cybercriminals all across the globe. It’s not the old days where we were protecting ourselves from a kid that was in the garage trying to break into our systems. Those days are gone. These folks are state sponsored and have access to the best technology out there, and they are really, really smart.”
It’s a challenge for health systems to stay ahead of the curve because cybersecurity is expensive, requires specific expertise and hacker tactics are constantly evolving. Leading cybersecurity efforts can feel like a “Whack-a-mole” game; as soon as one threat is tackled, another pops up.
“We’ve seen service desks being attacked through social engineering over the last couple of years, and we’ve been no exception,” said Nick Sturgeon, vice president and CISO of Community Health Network in Indianapolis. “Being able to implement new technology for our caregivers and our employees is really a game-changer for us because these attacks go for the people. They want to get their credentials, and so being able to provide a very strong barrier and protection has been great. It’s been a bit of a culture shift for our caregivers.”
Community Health Network’s whole IT team led the recent cybersecurity technology integration, and brought in business relationship managers as well as call site support analysts to work with frontline workers. They heard feedback from the workers on organizational change management and learned what messaging resonated with them and doubled down on communication to help them understand the “why” for the technology change.
“Organizational change management’s never easy. People don’t like change, but making this project a team effort has helped,” said Mr. Sturgeon. “Taking a nontechnical approach to this has been one of the reasons why we’ve been able to get where we are today.”
Mr. Sturgeon and his team are now focused on leveraging artificial intelligence in the cybersecurity process as well as improving efficiencies for frontline workers and the business office management team. Incorporating AI required additional governance and understanding use cases before expanding it out to the broader organization.
“One thing I have seen and experienced through the demonstrations and working through pilot programs is AI will either greatly strengthen what’s already good, or if there are cracks or weaknesses within the policies or within implementation of the technology prior to AI, it really exacerbates those cracks,” said Mr. Sturgeon. “Once you know the cat’s out of the bag or Pandora’s box has been opened, and going back is almost impossible.”
As leaders across the organization have become more excited about AI-driven technologies and applications, IT teams are becoming more vigilant in governance.
“We’ve been utilizing the excitement to continue motivation forward, but doing it in a way where we are not going to open ourselves up to potential cybersecurity issues or compliance issues,” said Mr. Sturgeon. “If we look at this from a regulatory perspective, we are trying to make sure we can go back should the OCR or the state governments [pass new regulations]. We make sure that we have the ability to be agile, depending on how the regulators come up with their guidance or laws.”
