As Chief Healthcare Executive continues its series on cybersecurity, we look at the Fisher-Titus system in Ohio. The organization offers useful lessons in how smaller providers can improve their security.
It didn’t take long for Linda Stevenson to realize what she was up against.
Stevenson is the chief information officer of the Fisher-Titus health system, a rural Ohio provider about 60 miles from Cleveland. She took the post in 2019.
“We had no cybersecurity plan and no cybersecurity budget,” Stevenson said.
Over the past couple of years, Stevenson and her small information technology team have made great strides in revamping the system’s cybersecurity defenses. The system did it without a big infusion of funds or by adding extra staff. She outlined her system’s journey at the Health Information and Management Systems Society conference in Orlando last month. (The story continues after the video.)
As Stevenson said, even smaller hospitals have to guard against cyberattacks. Hackers view smaller health systems as “the easiest,” she said.
Stevenson said the system had to be creative, because there wasn’t a lot of cybersecurity expertise in-house and there’s a limited pool of pros with knowledge in the field in rural Ohio.
A blessing in disguise
Stevenson secured the support of the health system’s leadership to put in a governance structure, which she said is the compass to help set the direction for improving cybersecurity. (Fisher-Titus adopted the voluntary cybersecurity framework developed by the National Institutes of Standards and Technology.)
“You need to get that buy-in from the very top on your governance structure to build your map and compass and get to where you need to go,” Stevenson said.
She said the support of leadership was key in helping galvanize support to address cybersecurity. She also secured an outside assessment of the system’s vulnerabilities.
The evaluation was eye-opening, she said. Most of the previous assessment of the system’s security was inaccurate.
But it was also invaluable. “Now I really know what the holes are and what the problems are,” she said.
Any smaller hospital looking to improve its cybersecurity needs to have an honest assessment of its vulnerabilities, and Stevenson said an outside firm can give you an unbiased look. “I recommend an outside company to start with because you get an independent look at things versus what your people know,” Stevenson said.
Then Stevenson began recruiting partners for the effort, including the doctors and nurses. She advised all healthcare systems to involve clinical staff in cybersecurity efforts, since doctors, nurses and patients are going to be affected.
“I don’t think we should do anything in an organization without clinicians being on our side,” Stevenson said.
In the fall of 2019, the Fisher-Titus system was hit by an email breach, which was discovered two months later. There were some patient records exposed, but it wasn’t a ransomware attack and it didn’t bring down the system, Stevenson said.
By that point, Fisher-Titus had some governance in place. “Thank God we had already started having that conversation about our security program,” she said.
The breach served as a valuable wake-up call. “This really was a gift,” Stevenson said. “I was really blessed to have this breach.”
“It gave us enough awareness: This is real,” she said.
It became a teaching moment to the entire system.
'It is possible'
The system developed an action plan with a list of items to address. The list initially had 100 items, but it’s been since knocked down to about 40, Stevenson said. While many weaknesses have been addressed, sometimes new items are added to the list. “It’s an ongoing look at our deficiencies,” Stevenson said.
Stevenson said the system’s cybersecurity group meets biweekly to go over new risks. The group also measures its progress in how many emails are blocked.
She said the Fisher-Titus board of directors gets a quarterly report on cybersecurity efforts. She said updating the system’s leadership about ongoing security is critically important.
The board was impressed to learn that 95% of the emails that go to Fisher-Titus are filtered out. But she said that also illustrated to the board how many bad actors are out there.
It’s critical to communicate regularly with hospital leadership about the potential risks of cyberattacks. Keep it simple, she said, by explaining what will happen if systems are compromised. If systems have to be brought down or electronic health records can’t be accessed, it could mean delaying surgeries or other procedures, and patients could have worse outcomes.
Fisher-Titus now employs what Stevenson described as “very challenging phishing attempts” to be sure workers aren’t clicking on suspicious email links. If employees click on the suspicious links too many times, human resources is notified and, if needed, workers could get retraining on cybersecurity.
Stevenson stressed that cybersecurity is a constant struggle and involves ongoing, regular communication with staff. “It needs to be ongoing and consistent,” she said. “This is not a one-and-done.”
She also said when warning about new threats of cyberattacks or new procedures, it’s important to use plain language. “You’ve got to put it in their terms,” she said.
Fisher-Titus has made good strides, Stevenson said. In 2021, the system brought in a reputable firm for a penetration test, and failed to get in externally after seven days.
It’s not easy to develop stronger cybersecurity defenses at a small hospital or health system, but as Stevenon said, “It is possible.”
Now, she said the hospital leadership is happy.
“Everyone feels good about where we’re at, and we did it with no additional people,” Stevenson said.