“The world-altering powers that technology has delivered into our hands now require a degree of consideration and foresight that has never before been asked of us.” ― Carl Sagan
A long-held practice utilized by businesses of all stripes is the ubiquitous SWOT (strengths, weaknesses, opportunities and threats) analysis. For a hospital or health system in 2022, there is no shortage of candidates to fully stock the “threat” category. In this column, I want to draw attention to one that deserves increased attention because of its potential to cripple an organization in an instant: cybersecurity.
The wonders of technology have dramatically improved healthcare in Michigan and beyond. Advancements include imaging technology that identifies serious disease at a much earlier stage, robotic devices that permit surgical interventions that were previously considered too risky to attempt, remote patient monitoring and telehealth, and electronic medical records that facilitate better tracking and coordination for patients across various sites of care — the list is impressively long. And amid our current workforce shortage crisis, we often describe technology in healthcare as a “force multiplier” that can supplement and extend our limited staffing resources to help ensure adequate access to care.
Make no mistake, healthcare still has one foot on the proverbial dock and one foot in the proverbial boat. That is, many of our communications and services remain in the “analog” world, while a growing share have become electronic, digitized and inter-connected. This phenomenon — coupled with the fact that the personal health information we collect and store has more value on the black market than any other data — has painted a neon target on our back for a growing cadre of cybercriminals and adversarial nation states. It is no accident the FBI has identified healthcare as the number one target of these bad actors. And simply put, a cyberattack on a hospital is a “threat to life” crime. We must act accordingly.
The statistics on healthcare attacks are enough to keep any executive up at night. An attack on a midsize hospital creates an average shutdown time of 10 hours and costs on average $45,700 per hour, according to an Ipsos report. In the same report, 49% of the respondents said their annual compliance budget for cybersecurity wasn’t enough. According to IBM, a data breach at a healthcare organization costs more than any other sector at $10.1 million. And the threat continues to grow, as healthcare cyberattacks have increased by 84% from 2018 to 2021, according to Critical Insight. Michigan hospitals, health insurance companies, physician offices and others have been the victims of ransomware attacks and related cybercrime in recent years.
If this wasn’t bad enough, a spotlight was shone on cybersecurity this past spring during Russia’s invasion of Ukraine, when cyberattacks on the Ukrainian government and critical infrastructure organizations had the potential to ripple across multi-national organizations and infect U.S.-based operations, including healthcare. Experts believe this scenario will be part of every future global conflict. And unfortunately, for many hospitals and health systems who welcome patients from multiple foreign countries, and who have business partners outside the United States, the practice of “geo-fencing,” or blocking all incoming email traffic from outside the country, is not always a viable approach.
So where can hospitals and health systems turn for help? At the national level, the American Hospital Association anticipated this trend several years ago and employs John Riggi as the national advisor for cybersecurity and risk. John has been a resource for the MHA in the past and as a former leader within the FBI’s cybercrime division, he maintains close ties with all the relevant government agencies.
And here at the MHA, we are also very committed to strengthening our own cyber defenses, while doing the same for our members. We have appointed Mike Nowak to serve as our own Chief Information Security Officer. Several years ago, Mike and his team helped to launch, and have subsequently helped to operate, the Michigan Health Security Operations Center (Mi|HSOC) for hospitals and health systems. Created for healthcare providers by healthcare providers, this first of its kind entity has the proven ability to prevent, detect, analyze and respond to cybersecurity events. Operating 24/7/365, the Mi|HSOC has developed strong relationships and communication with law enforcement at various levels, including the Michigan State Police Cyber Division, FBI and Secret Service.
An organization that helped form the Mi|HSOC is CyberForce|Q, which is now an MHA Service Corporation Endorsed Business Partner. In addition to sharing tactical information on emerging threats with the members of the security operations center, CyberForce|Q offers a variety of additional cybersecurity services to our members and other healthcare clients.
The bottom line — the MHA and our partners have helped Michigan become a leader in this space. By mitigating potential risk, physicians, nurses and staff of our member hospitals have the best opportunity to provide exceptional patient care without any external interruptions. While the advocacy, policy and safety and quality areas of the association often receive public attention, our cybersecurity efforts are constantly at work, often without much notice, to protect healthcare in Michigan.
But we need your help. I am the farthest thing from an expert in this field, but one thing I have learned is that the “human factor” is the most critical element of our defenses — and therefore the most vulnerable. Think twice before opening a suspicious email or text message, safeguard your electronic devices and passwords and take the time to educate yourself on all of the best practices to follow in the midst of this new, online world. The health of your patients and communities may depend on it.
As always, I welcome your thoughts.