A high-level discussion and exchange, “The Executive View: Cybersecurity and Organizational Resilience,” took place during HIMSS ’18, driving home the message that every organization in healthcare is being entrusted with important, sensitive information. The advice shared at this intimate gathering of prominent healthcare executives was primarily designed to help IT organizations improve their security posture in a world of increasing digital threats.
Hosted by Change Healthcare CEO Neil de Crescenzo, and co-sponsored by The Wall Street Journal Pro and Change Healthcare, the roundtable discussion underscored that it’s not a question of if healthcare organizations will have a security breach but, rather, when a breach will happen. The security clock is ticking, as it were, for healthcare organizations as a whole, and not just the IT team.
Noting the importance of elevating the corporate profile of security in healthcare, de Crescenzo opened his remarks stating: “The reality is that cybersecurity—and more importantly, cyber-resilience—must be an executive conversation. We all own it, just as surely as we own the customer experience, workforce success, and growth of our companies.”
The C-suite discussion and listening session offered compelling insights from a panel of top experts, led by WSJ Pro Cybersecurity Research Director Rob Sloan. Other panelists included James Routh, Chief Security Officer at Aetna; Harris D. Schwartz, of NTT Security; and Kiersten Todt, President and Managing Partner of Liberty Group Ventures, LLC.
Sloan kicked off the discussion by using a Slinky toy as a metaphor for how organizations should approach cybersecurity. Resiliency is as important as security if not more so, he said, noting that organizations must be flexible and nimble to prepare for and respond to threats, but also have the ability to return to their original shape.
Other points raised during the discussion included:
• The level of maturity and resiliency is good and getting better. But from the provider perspective there is more diversity with IT, and therefore a larger surface to attack, especially since now we are not dealing with hackers but with nation states. There is also more compliance-driven security and a gap in enterprise security.
• Threat entry points include emails, networks, and end points, and they are evolving. In healthcare, there are many vulnerabilities to account for, such as a PC in an exam room, or even a simple MRI machine. The blessing of technology is the efficiencies it provides; the curse is the vulnerabilities it can potentially leave us open to.
• All panelists agreed that organizations are building scenario training practices in a regular cadence; some do it monthly, others quarterly.
• Security is not just IT’s job. Theirs is but one component of preparedness, which includes people, process, and technology. Every member of the executive team owns cybersecurity and cyber-resilience.
• Aetna noted that it participates in NH-ISAC, the National Health Information Sharing and Analysis Center, a nonprofit designed to share best practices.
Change Healthcare will be commissioning more intimate listening and learning sessions at future events, exclusively for C-level executives.
Echoing some ideas put forth less than a week earlier by Change Healthcare, Centers for Medicare and Medicaid Services Administrator Seema Verma announced several new initiatives for interoperability at the HIMSS ’18 Conference in Las Vegas. During her keynote address, Verma said that for data to flow freely, ...