3 Trends From the HIMSS Healthcare Cybersecurity Forum

December 07, 2022 - Experts gathered in Boston on December 5 and 6 for the HIMSS Healthcare Cybersecurity Forum to explore topics such as risk quantification, clinical perspectives on cybersecurity, and medical device security.

Speakers included leaders from the Health Sector Coordination Council (HSCC), Northwell Health, Forrester, the Federal Bureau of Investigation, the National Institute for Standards and Technology (NIST), and more.

The presentations collectively showed that healthcare cybersecurity experts are well aware of the risks facing the sector. However, more collaboration, communication, and balance are needed to effectively tackle those risks and emerge stronger as an industry.

Sector Must Enhance Collaboration, Communication

There is a disparity between the cyber “haves” and the cyber “have-nots,” Christian Dameff, an emergency physician and clinical informaticist at the University of California, San Diego, suggested during a panel discussion featuring experts from ChristianaCare, Vanderbilt University, and George Washington University.

“We represent the cyber 1 percent,” Dameff said, referring to the audience of healthcare cybersecurity leaders from around the country who attended the forum.

“We are here discussing the nuances of very advanced technology and advanced cybersecurity programs to improve the resiliency of our hospitals and deliver clinical care. However, who's not in this room? How many hospitals, how many people taking care of patients aren't having their voices heard?”

Despite the industry’s thorough understanding of potential risks, the sector is facing unprecedented volumes of cyberattacks and data breaches. From the smallest rural hospitals to the largest health systems, all healthcare organizations have cyber risks to manage and varying levels of resources to do so.

In addition, Dameff noted, hospital bankruptcies are on the rise. Meanwhile, organizations are struggling to both obtain cyber insurance and keep up with rising premiums, further widening the gap.

Tackling this challenge requires collaboration and communication between peer organizations, rather than competition, experts suggested. It requires information sharing and relationship-building with government agencies and industry associations.

“I think that important thing is for us to find ways to communicate and socialize,” added Costis Toregas, director of the Cyber Security and Privacy Research Institute at George Washington University.

“We are all in this together,” Greg Garcia, executive director of the Healthcare Sector Coordinating Council (HSCC), said during another presentation. This sentiment was expressed multiple times throughout the two-day forum by a variety of speakers.

Garcia pointed to the abundance of free resources available for organizations of all sizes, such as the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP), which offers actionable cybersecurity guidance to small and large healthcare organizations.

The sector is making progress in coming together to collaborate, as exemplified by the plethora of guidance and frameworks available to organizations of all sizes. However, more communication and collaboration are needed to close the gaps between the “haves” and the “have-nots.”

Third-Party Risk Management Remains a Pain Point

Third-party risk management was a popular discussion point at the HIMSS event. During a panel session moderated by Erik Decker, assistant vice president and chief information security officer (CISO) at Intermountain Healthcare, experts discussed the current state of third-party risk management and ways in which it could be improved.

Decker was joined by Kathy Hughes, vice president and CISO at Northwell Health, and Steven Ramirez, CISO at Renown Health.

Hughes detailed Northwell Health’s third-party risk management program, which, like many organizations, features a series of questions aimed at gaining a thorough understanding of the vendor’s risk posture. Organizations must consider the types of data that they will be sharing with the vendor, where that data is located, and what devices and systems are involved.

Hughes also noted the importance of communication and collaboration throughout this process.

“It really is about making sure you have established those interdepartmental relationships with your procurement team, your compliance team, your office of legal affairs, and your risk management team,” Hughes stated.

However, Hughes acknowledged that managing third-party vendor risk is a “very manual and labor-intensive process” with lots of friction.

Decker also noted the lengthy and time-consuming nature of managing third-party risk assessments on a transaction-by-transaction basis.

“Do we feel that this is the right way to approach this problem, or could we be doing better?” Decker asked the audience.

The panelists suggested that there is room for improvement. Information sharing between different institutions and getting to a state of surveillance rather than transaction-by-transaction assessments have the potential to reduce friction. The challenge is coordinating those efforts and employing solutions that actually save organizations time and labor while also reducing risk.

In another session, Alla Valente, senior analyst at Forrester, and Kara Wilson, a researcher at Forrester, also noted the expansion of third-party ecosystems and the need to better manage risk across the enterprise. Valente emphasized the importance of considering non-traditional third parties, such as researchers and graduate students who may have access to sensitive data.

Organizations should not overlook non-traditional third parties along with vendors as the third-party ecosystem continues to grow.

Balance is Key

Throughout the two-day forum, speakers referenced the need for balance across the healthcare ecosystem. There must be a balance between data sharing and data privacy, between innovation and security, and between competition and collaboration.

During a keynote session, Anita Allen, a law professor at the University of Pennsylvania, discussed the shift from data privacy and confidentiality as the standing health ethic to the new norm of data sharing in the digital age.

“It is not a secret that attitudes about health data privacy are rapidly changing,” Allen said.

For example, people are increasingly sharing personal health information using wearable technology. Facilitating the flow of health data has become a priority for some businesses and government entities, with the goal of improving healthcare. But Allen suggested that in this journey toward data sharing, key tenets of the data privacy conversation have been lost.

“The old narrative understands privacy, confidentiality, and data protection as the path to better health,” Allen said. “But there is a question as to whether or not the new narrative is taking privacy as seriously as it ought to be taken.”

Allen suggested the need for a careful balance between the old and the new while acknowledging that achieving balance is a subjective process.

In a session entitled “Clinical Perspectives in Cybersecurity,” panelists discussed the nuanced challenges of balancing innovation with security, as well as balancing a clinician’s goal to provide quality care with the need to maintain cybersecurity.

“Clinicians are so focused on quality,” Mark Sugrue, managing director of health solutions at FTI Consulting and the panel’s moderator, explained during the session.

“How do we get them to think about how cybersecurity relates to quality in that balance of quality versus our need to share and secure information?”

Eric Liederman, director of medical informatics for The Permanente Medical Group and national leader of privacy, security, and IT Infrastructure for The Permanente Federation, suggested that the true challenge is getting the cyber workforce to be clinically aware and getting the clinical workforce to be cyber aware.

Organizations need to have joint governance and discussions with clinical leadership in order to achieve that balance, Liederman said.

In addition to discussions about balancing clinical and cyber awareness and new and old ideas about health data privacy, speakers throughout the event discussed the complexities of balancing digital transformation with cybersecurity, balancing security and equity, and more.

Healthcare cybersecurity leaders left the event with no shortage of discussion topics to bring back to their peers and board members. Faced with a variety of emerging and persisting challenges, the industry is working to craft new approaches to managing risk and protecting patient data.