CyberForce|Q - MHA | Michigan Health & Hospital Association

MHA CEO Report — Time to Focus on Cybersecurity

September 1, 2022 MHA Rounds, Member News

“The world-altering powers that technology has delivered into our hands now require a degree of consideration and foresight that has never before been asked of us.” ― Carl Sagan

A long-held practice utilized by businesses of all stripes is the ubiquitous SWOT (strengths, weaknesses, opportunities and threats) analysis. For a hospital or health system in 2022, there is no shortage of candidates to fully stock the “threat” category. In this column, I want to draw attention to one that deserves increased attention because of its potential to cripple an organization in an instant: cybersecurity.

The wonders of technology have dramatically improved healthcare in Michigan and beyond. Advancements include imaging technology that identifies serious disease at a much earlier stage, robotic devices that permit surgical interventions that were previously considered too risky to attempt, remote patient monitoring and telehealth, and electronic medical records that facilitate better tracking and coordination for patients across various sites of care — the list is impressively long. And amid our current workforce shortage crisis, we often describe technology in healthcare as a “force multiplier” that can supplement and extend our limited staffing resources to help ensure adequate access to care.

Make no mistake, healthcare still has one foot on the proverbial dock and one foot in the proverbial boat. That is, many of our communications and services remain in the “analog” world, while a growing share have become electronic, digitized and inter-connected. This phenomenon — coupled with the fact that the personal health information we collect and store has more value on the black market than any other data — has painted a neon target on our back for a growing cadre of cybercriminals and adversarial nation states. It is no accident the FBI has identified healthcare as the number one target of these bad actors. And simply put, a cyberattack on a hospital is a “threat to life” crime. We must act accordingly.

The statistics on healthcare attacks are enough to keep any executive up at night. An attack on a midsize hospital creates an average shutdown time of 10 hours and costs on average $45,700 per hour, according to an Ipsos report. In the same report, 49% of the respondents said their annual compliance budget for cybersecurity wasn’t enough. According to IBM, a data breach at a healthcare organization costs more than any other sector at $10.1 million. And the threat continues to grow, as healthcare cyberattacks have increased by 84% from 2018 to 2021, according to Critical Insight. Michigan hospitals, health insurance companies, physician offices and others have been the victims of ransomware attacks and related cybercrime in recent years.

If this wasn’t bad enough, a spotlight was shone on cybersecurity this past spring during Russia’s invasion of Ukraine, when cyberattacks on the Ukrainian government and critical infrastructure organizations had the potential to ripple across multi-national organizations and infect U.S.-based operations, including healthcare. Experts believe this scenario will be part of every future global conflict. And unfortunately, for many hospitals and health systems who welcome patients from multiple foreign countries, and who have business partners outside the United States, the practice of “geo-fencing,” or blocking all incoming email traffic from outside the country, is not always a viable approach.

So where can hospitals and health systems turn for help? At the national level, the American Hospital Association anticipated this trend several years ago and employs John Riggi as the national advisor for cybersecurity and risk. John has been a resource for the MHA in the past and as a former leader within the FBI’s cybercrime division, he maintains close ties with all the relevant government agencies.

And here at the MHA, we are also very committed to strengthening our own cyber defenses, while doing the same for our members. We have appointed Mike Nowak to serve as our own Chief Information Security Officer. Several years ago, Mike and his team helped to launch, and have subsequently helped to operate, the Michigan Health Security Operations Center (Mi|HSOC) for hospitals and health systems. Created for healthcare providers by healthcare providers, this first of its kind entity has the proven ability to prevent, detect, analyze and respond to cybersecurity events. Operating 24/7/365, the Mi|HSOC has developed strong relationships and communication with law enforcement at various levels, including the Michigan State Police Cyber Division, FBI and Secret Service.

An organization that helped form the Mi|HSOC is CyberForce|Q, which is now an MHA Service Corporation Endorsed Business Partner. In addition to sharing tactical information on emerging threats with the members of the security operations center, CyberForce|Q offers a variety of additional cybersecurity services to our members and other healthcare clients.

The bottom line — the MHA and our partners have helped Michigan become a leader in this space. By mitigating potential risk, physicians, nurses and staff of our member hospitals have the best opportunity to provide exceptional patient care without any external interruptions. While the advocacy, policy and safety and quality areas of the association often receive public attention, our cybersecurity efforts are constantly at work, often without much notice, to protect healthcare in Michigan.

But we need your help. I am the farthest thing from an expert in this field, but one thing I have learned is that the “human factor” is the most critical element of our defenses — and therefore the most vulnerable. Think twice before opening a suspicious email or text message, safeguard your electronic devices and passwords and take the time to educate yourself on all of the best practices to follow in the midst of this new, online world. The health of your patients and communities may depend on it.

As always, I welcome your thoughts.

MHA Monday Report June 14, 2021

June 14, 2021October 27, 2022 Monday Report

Combating the Novel Coronavirus (COVID-19): Weeks of June 7

The Michigan First-Dose Tracker indicates that, as of June 10, 60% of Michiganders ages 16 and over had received a COVID-19 vaccine. By June 12, more than 892,000 cases of COVID-19 had been confirmed in the state since the pandemic began; but more than 852,000 …

MHA Provides Testimony in Senate on Newly Introduced Legislation

The Michigan Legislature addressed several bills impacting hospitals during the week of June 7, including legislation that would create new statewide systems of care for two time-sensitive emergency medical conditions, modernize scope of practice for …

Association Submits Comments on Medicare Post-acute Care Proposed Rules

The MHA recently submitted comments to the Centers for Medicare & Medicaid Services regarding the proposed rules to update the Medicare fee-for-service prospective payment systems for fiscal year 2022 for several post-acute care …

Community Benefit Reporting and the COVID-19 Pandemic Discussed in Webinar

The COVID-19 pandemic has had significant impacts on communities, patients and the hospitals that serve them and has severely affected hospital finances. Questions have arisen regarding how pandemic-related expenses, revenues and …

MHA and MHA Keystone Center Events Focus on Diversity, Equity and Inclusion

To act deliberately and purposefully to ensure outcomes across all patient populations are equitable, leaders should know where disparities exist, ways to prevent disparities and how to create a culture and system that reduces disparities to improve quality and …

Chief Medical Officer Debunks COVID-19 Vaccine Myths on MiCare Champion Cast

The MHA released a new episode of the MiCare Champion Cast, which features interviews with healthcare policy experts in Michigan on key issues that impact healthcare and the health of communities. …

High Reliability Leads to Safe Work Environment

Creating a highly reliable hospital requires a commitment to a just culture, continuous learning and designing care improvement. The webinar High Reliability in the Time of COVID-19, scheduled from noon to 1 p.m. EDT June 24, will review high reliability principles proven …

CyberForce|Q Offers Continuous, Collective Approach to Cybersecurity Assessments

Headline Roundup: Week of June 6 for COVID-19 in Michigan

The MHA has compiled a collection of media stories that include references to the MHA related to the last COVID-19 surge and vaccines. …

The Keckley Report

Post Pandemic, Affordability Looms as the Big Challenge in Healthcare — This Time, It’s Different

“Pre-pandemic, polls showed healthcare costs were a major concern to U.S. consumers. Post-pandemic, indications are it will re-surface as the industry’s biggest challenge, particularly affordability. But this time, consumers are likely to act differently on their concerns.”

Paul Keckley, June 8, 2021

MHA in the News

Modern Healthcare published an interview with MHA CEO Brian Peters June 7 discussing the new administrative rules requiring implicit bias training for licensure or registration of healthcare professionals in Michigan.

CyberForce|Q Offers Continuous, Collective Approach to Cybersecurity Assessments

June 10, 2021October 27, 2022 Member News

The MHA’s newest Endorsed Business Partner, CyberForce|Q, offers a new approach to cybersecurity for healthcare organizations. CEO Eric Eder described a situation where a rural healthcare system’s CEO shared his organization’s experience from a cybersecurity breach. It involved a ransomware attack that took the hospital offline for two weeks and was still being restored five months later.

The CEO indicated that the organization’s last cybersecurity assessment was performed three years prior and many of the findings were either forgotten or no longer relevant. Its already overwhelmed IT staff struggled to act on findings from seven different assessments performed by five different consultants. Many organizations face similar issues, but CyberForce|Q offers an approach that has proved more effective and more efficient than traditional assessments.

The first step in this approach is to advance from relying upon infrequent and disparate cybersecurity assessments to a continuous assessment model. This model still informs specific controls, but it is also workflow integrated, updated in nearly real time with objective metrics and realigns tactics with strategy every month. The model allows healthcare participants to share benchmark data and best practices.

Created by healthcare for healthcare, the Healthcare Security Operations Center (HSOC) provides collective cybersecurity defense for healthcare 24/7/365. Being part of a collective defense has proved to prevent breaches from happening in the first place. The idea for the HSOC is rooted in trusted sharing established by hospital associations where members can work on solving industry problems together, sharing tactical ideas and best practices to protect all hospitals within the HSOC environment. This continuous and collective approach could benefit Michigan healthcare organizations as they seek efficiency and effectiveness from their cybersecurity technology investments.

CyberForce|Q is offering a virtual event from 10 to 11 a.m. EDT July 14 as part of its Coffee and Collaboration series, where MHA CEO Brian Peters will discuss ways to speak to those in the healthcare C-suite about cybersecurity and will provide insights into emerging issues confronting the healthcare field. The session is free of charge, but registration is required to receive connection information.

For more information on the MHA Endorsed Business Partner program, contact Rob Wood at the MHA.

CEO Report — Emerging from a Pandemic Program Year

June 1, 2021October 27, 2022 MHA Rounds

“Keep your face to the sunshine and you cannot see a shadow.“ — Helen Keller

For many years, the turning of the calendar to June has created an air of excitement as we make final preparations for our incomparable Annual Membership Meeting on Mackinac Island. While I am disappointed that the pandemic has necessitated a virtual annual meeting for the second consecutive year, new guidance from the Centers for Disease Control and Prevention and subsequent revised state guidelines have many optimistic that we have emerged from the darkest days of the COVID-19 pandemic. We know it will still be a long time before our hospitals cease caring for patients infected by COVID-19, but the increasing vaccination rates and mounting evidence documenting the reduced risk of vaccinated individuals contracting, transmitting or falling ill with COVID-19 is a sure sign that better days are ahead.

Now that we are in the home stretch of the current MHA program year (and in light of declining COVID-19 case rates, hospitalizations and test positivity rates in Michigan), I’d like to highlight several very recent non-COVID MHA accomplishments that show the strength and value of our association.

Our advocacy work never stops, and I am very pleased to share that the Michigan Legislature recently advanced budget proposals for both the current and upcoming fiscal year that fully fund our MHA priorities for hospitals and health systems. They include the Healthy Michigan Plan, which now has record enrollment levels in excess of 900,000 Michiganders; recent Medicaid outpatient rate increases; graduate medical education; the rural access pool and obstetrical stabilization fund; and disproportionate share hospital payments. In addition, the budget now includes potentially transformational behavioral health funding.

We are all too familiar with the worsening behavioral health crisis in Michigan and its significant impact on patients and families (as well as hospitals themselves). This issue has been elevated as a priority by the MHA Board of Trustees this year and, with their encouragement and support, we are pleased that the MHA team has secured inclusion in the House budget proposal for $125 million in new funding to add access to pediatric psychiatric treatment at hospitals, improve care of behavioral health patients in the emergency departments and add additional settings of care for behavioral health cases. By adding these resources, we should be able to reduce the time it takes for children to find placement, while also providing infrastructure funding for hospitals to find innovative solutions for emergency departments to improve existing facilities to accommodate patients with psychiatric needs. This may include distinct entrances for patients in crisis and separate spaces with safe furnishings and restrooms. As demand and the acuity of these patients increases, we are hopeful these funds can help address the main challenges so Michiganders can receive the treatment they need.

From an operations perspective, there has been a great deal of recent activity at the association. We recently welcomed Molly Dwyer-White, MPH, as the MHA’s new vice president of safety and quality and the MHA Keystone Center’s new executive director. Molly brings over 18 years of experience in healthcare and comes to us from Michigan Medicine, where she led multiple efforts to establish and integrate structures to assess and improve patient experience while serving as the director of the Office of Patient Experience. Molly is working closely with the MHA and MHA Keystone Center staff and governing boards as she transitions into her role, and I am confident she will continue the MHA’s strong work in improving health outcomes and addressing health inequities.

We just announced our newest MHA Service Corporation Endorsed Business Partner, CyberForce|Q, which is a leading provider of cybersecurity services, advancing the safety of information systems by utilizing a tactical, collective defense model with a focus on continuous improvement. CyberForce|Q has worked directly with the MHA for a number of years and helped us to launch our Mi|HSOC cybersecurity operations center for hospitals and health systems. With healthcare now the top target for cybercriminals globally, we are pleased to offer this new collaboration.

The MHA has also reconfigured our headquarters in Okemos, the Spencer C. Johnson Building, to allow for a new tenant in the Michigan Osteopathic Association (MOA), effective May 1. We are delighted to welcome the MOA and its members to our facility, and we are confident that this arrangement will lead to even greater opportunities for synergy well into the future. Both of our organizations, along with the Michigan State Medical Society, comprise The Partnership for Michigan’s Health, which routinely produces the Economic Impact of Healthcare in Michigan report, and collaborates on efforts that improve Michigan healthcare.

As for those MHA employees housed in the MHA headquarters and our Capitol Advocacy Center in downtown Lansing, their contributions and insights have helped the MHA make Modern Healthcare’s list of Best Places to Work in Healthcare for 2021 — the only state hospital association to be recognized. I am incredibly proud of this prestigious distinction because it validates our constant efforts to support our employees — who are the strength of our association. To earn this distinction in the midst of a pandemic is especially gratifying.

I also want to recognize our outgoing Board Chair Edwin A. Ness, president & CEO of Munson Healthcare, whose term will end later this month. Taking the gavel amid a once-in-a-century pandemic, Ed provided tremendous leadership to help guide us through multiple statewide COVID-19 surges and the challenges associated with the delivery of safe and effective COVID-19 vaccines. We spent many early mornings and late nights on phone calls, and the MHA could not have accomplished what we did without Ed’s unwavering commitment to the role.

During Annual Meeting, we will formally transition from Ed to incoming Board Chair Tina Freese Decker, president & CEO of Spectrum Health, who I could not be more excited to lead us through our next program year. In addition to guiding West Michigan’s largest health system, Tina has played an active role as a co-chair with the Protect Michigan Commission in addressing vaccine hesitancy and increasing education and awareness efforts on the safety and effectiveness of the COVID-19 vaccines.

If you have not done so already, I encourage you to register and join us at Annual Meeting. In addition to hearing Tina’s formal remarks, I’m particularly happy to have my friend Rick Pollack, president and CEO of the American Hospital Association, scheduled to join us to discuss key healthcare advocacy items at the federal level. We will also be joined by Kevin Ahmaad Jenkins, a leader in health equity who serves as a fellow within the Veterans Health Administration’s Office of Minority Health and will explore racism and its effect on public health, as well as breaking social stigmas relating to racial injustice in healthcare.

While the 2020-2021 program year has been one of the most difficult in recent memory, I am proud of the strength and resiliency displayed by the MHA, our employees, our member organizations and the front-line caregivers who have gone to war against the COVID-19 virus every day. We are not out of the woods yet by any means, as we must be mindful of potential emerging variants and other complicating factors that could lead to yet another future surge. Rest assured that the MHA will continue our daily efforts in support of our members until COVID-19 is defeated once and for all. In the meantime, we should collectively celebrate the fact that, at least for now, new infections and hospitalizations have been dramatically reduced.

Through it all, the MHA has continued to serve our members and live our mission to advance the health of individuals and communities, to innovate and to keep an eye to the future. I am pleased to share just a few tangible examples in this column, and I am optimistic about our ability to create even more successful outcomes in the future. In short, we have kept our collective faces to the sunshine and, as a result, our association is as strong as ever.

As always, I welcome your thoughts.