Health systems have made progress, but they still have a long way to go, says Clearwater CEO Steve Cagle. Hospital executives must drive change from the top.
Las Vegas - When Clearwater CEO Steve Cagle was asked if hospitals are improving their cybersecurity or if they still had a long road to go, he simply said, “Yes.”
“Making progress and still have a long way to go,” Cagle said.
Clearwater, a cybersecurity firm, works with the healthcare industry and other highly regulated industries. Clearwater recently acquired CynergisTek, another cybersecurity firm with expertise in healthcare.
Hospitals have suffered hundreds of cyberattacks in 2022, as hackers are targeting the healthcare industry. CommonSpirit Health, one of America’s largest hospital systems, said it was hit by a ransomware attack last month. Cybersecurity analysts say healthcare lags behind other industries in terms of bolstering their defenses. Two out of three healthcare IT professionals (67%) said their organizations had a significant cybersecurity incident in the past 12 months, according to the HIMSS 2021 cybersecurity survey.
In an interview with Chief Healthcare Executive at the HLTH Conference this week, Cagle said hospitals need to view cybersecurity as a continuing process.
“Unfortunately, there’s probably not a finish line per se, because it will continue to get more complex as time goes on,” Cagle said.
“As a health system buys a new business or implements new technologies, threat actors are becoming more sophisticated and they’re changing their approach and their techniques,” he continued. “It’s an ongoing process, and one that I think healthcare is definitely getting better at. But it’s becoming more and more difficult to be at the level that you need to be in order to be at a risk level that’s probably going to be acceptable to the organization.”
Ransomware attacks have been rising in the healthcare industry, and that’s because bad actors know that many hospitals and health systems are vulnerable. Ransomware groups have breached patient records, which are a treasure trove of both health data and financial information. Attackers also know that hospitals will pay to get access to their records, experts say, even though authorities advise against paying the ransome.
“The game is changing,” Cagle said.
“Threat actors have become more aggressive because it is a juicy target,” he said. “It’s an easier target as well.”
Hospital executives play a critical role in bolstering defenses against cyberattacks. Cybersecurity isn’t just the province of the IT departments.
“One of the fundamental pieces of advice I would give is to ensure conversations are being had at the executive level of the organization, that there’s continued education of boards, and there’s really great leadership from the top in terms of how we’re going to manage security as an organization,” Cagle said.
Ben Denkers, chief innovation officer of CynergisTek, told Chief Healthcare Executive that the investment and attention of the C-suite in cybersecurity isn’t just a critical factor. He called it “the most important” aspect of organizations in strengthening their defenses.
“The top down approach is the only real effective way,” Denkers said.
While CEOs can drive the change and set cybersecurity as a priority, healthcare workers need to understand the importance in protecting patients and the organization’s finances. The average healthcare breach now costs more than $10 million, according to a report from IBM.
“From a culture perspective, our employees are our best weapons against cyberattacks,” he continued. “There are so many attacks that have been successful through social engineering. Making sure we have continued security awareness, that starts at the top.”
Health systems must have a thorough understanding of all the risks in the organization, including those that come from vendors and medical devices. Health systems that are faring better in protecting themselves have undertaken robust risk assessments, Cagle said.
“As you’re beginning to get to a level of maturity in the organization, it’s really time to have a very comprehensive, thorough assessment of all the different applications in your organization, all the different systems that you’re using, and truly use that as a way to map out where you’re going to invest,” Cagle said.
“That all starts from leadership,” he continued. “Leaders really need to be sure they’re establishing that culture as an organization.”
Read more from Chief Healthcare Executive
How hospitals can improve their cybersecurity: Tips, training and tough love