Even before Petya and WannaCry, the latest ransomware attacks, leaders of hospitals and health systems have been collaborating and fighting back against cybersecurity threats.
This spring in Virginia, for example, a statewide task force on cybersecurity coordinated by the Virginia Hospital & Healthcare Association issued a set of self-protection guidelines for VHHA members. The Virginians are not alone.
“I’ve talked to people in other states, and this is picking up,” says Dan Bowden, vice president and chief information security officer at Sentara Health, based in Norfolk, Va., and a VHHA task force member. “At least half or two-thirds of the states are working on this.”
The widespread formation of cybersecurity collaboratives across states or regions is still fairly new, although a pioneer like the Michigan Healthcare Cybersecurity Council dates to 2013. The Michigan group was formed in response to cross-industry computer security initiatives by the National Governors Association, says Lee Kim, director of privacy and security at the Healthcare Information and Management Systems Society, a trade group for the health care information technology industry.
“I’m hearing more of the state-based hospital organizations are forming cybersecurity committees and reaching across with local industries and federal officials and sharing information,” Kim says. “There are hospital councils and associations leading the charge.”
The Healthcare Association of New York State, for example, convened a forum in 2016 with experts from the Department of Homeland Security, FBI, New York City and state police to mutually address cyber defenses. The Greater New York Hospital Association scheduled a Cyber Security Program and Threat Briefing in August.
Massachusetts has its own health care cybersecurity initiative, Kim says, “but there is no national agreement in terms of how folks are doing it.”
“I think it’s fair to say all of the state hospital associations have this on their radar and are working with their members,” says Chantal Worzala, vice president, health information and policy operations, at the American Hospital Association.
The AHA, meanwhile, has a host of cybersecurity resources on its website, aimed at keeping hospital and health systems leaders up to speed, Worzala says. In October in Chicago, the AHA will host its fourth regional cybersecurity training session for executives on the importance of leadership in addressing cybersecurity issues, Worzala says.
C-suite support is key, says Michael McMillan, co-founder and CEO of Cynergistek, an Austin, Texas, cybersecurity firm. “If you don’t have the right culture, the right leadership, you’d better have a really good plan to respond to these events, because you’re going to use it.”
The Virginia task force cybersecurity guidelines include more than 20 specific security recommendations. They call for employees to be not only trained in cybersecurity awareness but also periodically tested with drills, including surprise attacks using simulated email phishing scams.
The group also recommended hospitals implement advanced user authentication procedures, regularly schedule anti-malware and virus scans and institute a regime of data backups. And the task force recommended providers use encryption to better protect their most sensitive data.
In years past, security gurus have criticized the health care industry, alleging chronic underinvestment in cyberdefenses.
“Without dealing in any specifics about the degree of those investments, this entire initiative reflects the fact this is being taken very seriously and (member organizations) are dedicating significant resources to cybersecurity,” says VHHN spokesman Julian Walker.
Bowden, the Sentara CISO, sees value in statewide security collaborations like the VHHA’s.
“Within the state, we can we work together and help one another to reach a baseline of deployable security measures,” he says. “I think a lot of us have decided we’re not competing on cybersecurity, and any time one of us gets breached, it makes all of us look bad.”