Hospital Cybersecurity Must Start in the C-Suite

In the eyes of Bertine Colombo McKenna, PhD, cybersecurity must be a priority for those at every level of a hospital system.

“It’s not that long ago that we were not talking about it, right?” she asked towards the beginning of her speech at the Philadelphia HIT Summit today. She has served at the top of health systems, most recently as Chief Operating Officer for the Bassett Healthcare Network, and her speech included stories and hypotheticals from the frontline.

“Imagine this: a patient in their home who has just been in your healthcare organization gets a call. The person on the other end says ‘I have the code to your pacemaker, and unless you give me $10,000 (in BitCoin of course) I’m going to turn it off.’ Who do you think that patient is going to call first?” she asked. The hospital, of course, was the answer, and not long after, she postulates, the situation will be on the front page of a newspaper.

McKenna was not educated on cybersecurity, but such possibilities led her to set up an oversight committee in her health network. Today she serves as an Executive Advisor to GreyCastle Security.

“It’s not just an IT issue. It has to be in the C-Suite and it has to be at the board. And not just a report, I mean, there has to be a coordinated and integrated process to understand the vulnerabilities,” she said. She wonders when cybersecurity will earn its To Err is Human-type moment, citing the monumental report on patient safety from two decades ago. Medical device vulnerabilities might be that, she thinks.

“The board has to be educated,” she said, not just the basics, but based on actual assessments of the individual institution’s vulnerabilities. Reputational damage needs to be kept in mind when calculating the costs of securing an institution.

“Drill incident response just like we drill any other incident that can happen in a hospital,” McKenna urged. “Who would we call? Who’s in charge? What’s our position on whether we pay ransomware?”

In addition to establishing a plan and a roadmap for the future, she recommends investing in cybersecurity training for HIPAA compliance, and also hiring a cybersecurity firm on retainer just as an organization does with law firms. From the board and C-Suite down, everyone in the organization should be sharing responsibility for cybersecurity protocol. The point-of-care staff needs to be involved as well.

“The frontline staff needs to understand that this is as important as the right medication, at the right time, the right way at the right dose…this is going to take a full culture shift,” she said.