Greg Garcia, executive director for cybersecurity at Washington, D.C.-based Healthcare Sector Coordinating Council, discusses the vulnerability that a lack of investment in cybersecurity can cause for hospital systems, and how C-suite executives can maintain strong methods of data protection.
Question: What would you say is the No. 1 threat to hospital cybersecurity today and why?
Greg Garcia: Overall, the No. 1 threat is lack of sufficient investment in cybersecurity among small to mid-sized health delivery organizations, even among larger systems. Hospitals must make numerous risk management decisions against resource constraints and cybersecurity has historically not been given the attention it needs — for the integrity and availability of their data, the reliability of their clinical operations and most importantly, patient safety.
Q: What advice would you give to hospital CISOs or CIOs to get hospital staff on the same page in the aftermath of a cyberattack?
GG: Engage the hospital C-suite to enforce a culture of security with the message that clinicians must treat computer viruses as seriously as human viruses.
Q: What is the No. 1, first step a hospital should take when developing a cybersecurity incident response plan? What departments and team members should be involved?
GG: No. 1, first step is asset inventory: what devices and information systems are on your network and how are they configured and interconnected. From there you develop a risk profile, then a security policy and controls. The risk profile and security policy require senior executive involvement, including the CIO, [chief technology officer], [chief revenue officer], [chief medical revenue officer], CFO and the CMO. Then you get the imprimatur from the CEO to make the necessary risk-based investments, promulgate the controls and enforce them.
Q: What do you consider to be the most important aspect of hospital data protection?
GG: The front-line clinician who is interacting with the data and the devices and systems that store and act on them.
To learn more about hospital and health system cybersecurity, as well as the key trends for CISOs, register for the Becker's Hospital Review 2nd Annual Health IT + Clinical Leadership Conference May 2-4, 2019 in Chicago. Click here to learn more and register.