In the last decade, the number of large-scale data breaches impacting healthcare institutions reached all-time highs with 715 breaches in 2021 and 707 in 2022. Each of those breaches resulted in a minimum of 500 lost records. As the healthcare sector continues to face these risks in 2023 and beyond, how can your institution navigate these ongoing challenges? In fact, that is what we discussed at our Wolf-sponsored New England HIMSS Cyber Networking Event.
Wolf’s Chief Growth Officer, Mike Kanarellis, led a panel of some of New England’s top Chief Information Security Officers (CISOs), detailing how hospitals and health systems of all sizes can tackle evolving cybersecurity threats within their organizations.
What Keeps CISOs Up At Night?
To kick off our panel discussion, Esmond Kane, CISO at Steward Health Care, Robert Sanderson, CISO at South Shore Health, and Michael Keighley, CISO at MaineGeneral Health, shared personal insights into their front of minds when it comes to policies and procedures surrounding cybersecurity.
Robert explained his top concern is the risk of a data breach. In the healthcare sector, there is a large emphasis on the regulatory aspect and the privacy aspect that can be significantly compromised in the wake of cyber threats. This can result in the lack of systems available for patients coming through the door and creates a challenging roadblock for every member of the organization. Robert shared that for healthcare institutions, system availability and patient availability is top priority, and it is vital to ensure these resources are up and available for his colleagues.
Meanwhile, Michael shared, “Staffing is a big thing, every couple of months there are people offering twice the salary and there is big competition to keep people with certain certifications, especially between the medical staff and doctors.” Breaches, staffing, misinformation, and more are barriers to overcome when navigating this landscape, that’s why these CISOs have to stay up-to-date on the latest trends to ensure their organizations are properly protected.
Have You Seen Any AI Use Cases in Your Health Systems?
When it comes to use cases for AI within healthcare institutions, Esmond, Robert, and Michael all agreed that there is the “good” and the “bad.” Esmond explained, “It’s not all doom and gloom, but humanity can be a force for good and a force for evil. You have to be optimistic and see the upside; there will be phishing and there will be attacks… however, it can help with clinical support, pharmaceuticals, drugs, and AI is starting to find connections that humans have never seen. There’s a lot of answers there, but there’s also a lot of questions to ask, and now AI is giving us the questions.” However, our panelist noted that although AI is a readily available resource when these use cases arise, having effective governance and policies in place will help you prepare for what’s coming, while constantly defending against attacks.
What is the Culture of Compliance?
Whether it is Cybersecurity Awareness Month, educational opportunities, or training sessions, our panelist emphasized the universal need for healthcare institutions to create a culture of compliance. From creating a culture through relationships with leadership, to training new employees on the importance of information security, institutions can change the way they approach cyber-attacks through collaboration and engagement.
Robert also added that we must always consider the diverse workforce when implementing training opportunities. Between physicians and volunteers, it is important to talk about “personal data” in order to resonate with each team and translate this into the workplace. As for potential breaches, Esmond said, “The basic principles are if you don’t prepare to fail you won’t have resilience. Expect the unexpected, prepare to fail, and don’t point fingers when it happens.”
What Are You Doing For Third-Party Risk?
With the increase in data breaches across the healthcare sector, there is speculation surrounding third parties and how these vendors can impact organizations. Michael shared that for his institution, establishing a meaningful relationship with his legal team has allowed him to have all eyes on their third-party risk management program. With this, also comes the need to educate each department about the significant impacts third-party breaches can have on their information. Robert added that his institution has delegated a single individual person to assess third-party threats and where their data is allocated, since this can be the biggest risk within the healthcare sector.
How Do You Stay an Authentic Leader and What Keeps You Going to Work Every Day?
As our panel came to a close, our CISOs shared their final thoughts on what keeps them going, especially in their role as a leader in the healthcare industry. Robert explained that staying factual and authentic to your people and telling them the risks is critical. Given there is so much going on in the world, it’s all about being transparent as a leader in this sector. Additionally, Esmond noted, “I find healthcare very rewarding; the best reward is helping people on the worst day of their life… it is not easy, you will have to be creative, but it challenges you.”
We were thrilled to have had the opportunity to gain insight, perspective, and new ideas on ways healthcare institutions can navigate the ever-changing cyber landscape. Whether you are trying to tackle these challenges or seeking assistance as an organization in this space, Wolf has you covered.
