What Does it Mean to Have a Cybersecurity-Driven Healthcare Culture?

By Jessica Davis 

The reported cyberattacks against the healthcare industry in recent years have shut down hospital access and delayed critical care, with most hospital victims experiencing multiple weeks of downtime. Healthcare has “learned some hard lessons,” said John Riggi, American Hospital Association’s national advisor for cybersecurity & risk, during the opening keynote of the HIMSS Cybersecurity Forum.  

And at the end of the day, the sector “cannot defend its way out of the problem,” Riggi continued. Provider organizations must be more proactive, taking offensive measure to reduce patient safety impacts. “Business continuity is not the same as clinical continuity. We need to be prepared to carry on operations for up to four weeks.” 

Riggi set up the remaining theme of the event, keenly focused on cyber resilience, medical device security, and patient safety: all mission critical for care continuity and defending against business and reputational harms. 

The cyber panel that followed, featuring Christian Dameff, MD, UC San Diego Health’s medical director of cybersecurity, examined the foundational aspects that must improve within the healthcare environment for key tools, processes, and policies to improve overall defenses. 

To drive cybersecurity initiatives across the healthcare enterprise, a top-down approach with leadership engagement is imperative. Leaders must break down silos within the organization, reinforcing the critical importance of a strong security posture while considering the roles and concerns of the workforce, explained Dameff and Renee Broadbent, CIO and CISO of SoNE Health. 

“It’s important to check our biases at the door when we talk about the culture of cybersecurity,” said Dameff. Often, those who are hyper-focused in cybersecurity might falsely believe that the culture of the organization is poor, or that people don’t care or aren’t invested in preventing attacks or defending the enterprise. 

Security leaders must take a step back and “get out of our silos” when assessing cyber hygiene or when trying to drive that necessary culture change to fairly determine the reality of the organization, he explained. While it may not be obvious, talking to workforce members throughout the organization can confirm or refute whether the enterprise is really moving the needle on their cyber posture. 

These questions should drill down into employee awareness around the specific stakes facing healthcare delivery organizations, and the employees’ responsibility in being the first line of defense, as well as whether they’re invested in this mission. 

Cybersecurity is about more than phishing, though it remains one of the largest threats facing the network, and it’s not “just the breach of protected health information,” said Dameff. The workforce must understand that the needed cybersecurity focus is rooted in the reality that in their role, they could thwart network access to an attacker. 

“I want [employees] to understand that they hold the responsibility to the network, and their access alone could be the difference in whether or not our enterprise is attacked at a large scale and could impact the patients for which they’re caring,” he added. 

By only focusing on phishing simulations at calculating click-rates, entities are missing out on the opportunity to truly educate workforce members on what’s at stake for failing to act appropriately. The language and approach must remain fluid, however, as entities must maintain credibility and not overuse verbiage that waters down the message. 

“It’s a delicate balance,” but an important one, explained Dameff. The approach requires “pruning and active engagement. Developing that type of cultural drive requires attention to detail and mixing messages and mediums… connecting with people where they’re at and in the languages they speak.” 

It’s only in building this successful messaging and culture change that entities can ensure their other cybersecurity efforts are reaching their full potential. 

To do so, leadership will need to get creative, not just with messaging, but with budgets and resources, as well. Hospitals frequently run on limited budgets, with more needs than financial allocations can afford. With more security needs than available resources, how then can network defenders prioritize these needed projects? 

The question holds no straightforward answer. Dameff noted that determining allocations takes evidence, leveraging the scientific method to be critical of vendor-biased data promoting “solutions” to problems, rather than mitigations – and there’s a large difference between the two. 

That’s where leadership buy-in becomes critical, where security leaders can evaluate their vulnerabilities and use evidence to make informed decisions.