First Health CEO Carter Groome Speaks at UN General Assembly Health Symposium

NEW YORK – No nation, system, or health entity is immune from the inevitable “bad day.” Our global cyber defenses are in critical condition, and in healthcare, that poses serious risk to human health and livelihoods, according to First Health Advisory CEO Carter Groome, who spoke at the UN General Assembly Health Symposium about cyber resilience on September 26, 2024.

The “bad day” refers, of course, to receiving the dreaded ransomware message, where data is locked up, the electronic health records and technology needed for patient care is offline, and care operations come to a halt. While many entities have incident response plans in place, putting those plans to action in a crisis is another situation.

For the last 14 years, healthcare has been the most affected industry in terms of malicious attacks and related costs. Healthcare has become intimately and utterly dependent on technology, which means, as a default, everything digitally connected is shut down when we’re under cyberattack.

But many nurses and clinicians have not before operated with pen and paper processes, not to mention every bit of technology enables digital health. Without it, data confirms the patient safety and care morbidity risks.

Unless the entire healthcare community and all of us start viewing cybersecurity as a basic operational function, or an imperative to doing business, this cycle is going to continue. Further, in remembering the cyber role falls under the do no harm oath in healthcare, we all need to recognize that cyber safety is patient safety.

“Community is crucial to cyber resilience in healthcare. The current landscape demands collaboration and when the sector takes collective ownership of cyber it will lift the security and privacy maturity of the entire system of care,” said Groome.

Resilience is ability to withstand adversity or bounce back, which can disrupt the ability of our adversaries to ransom, extort, and terrorize our caregivers, our patients, and the business of healthcare. Because when their leverage is taken away and there is less money available to them, there will inevitably be a decrease in crippling attacks.

Cyber resilience and improving the defenses of all of healthcare is rooted in an understanding that cyber risk is no longer limited to lost laptops or breaches of protected health information: it extends to our basic ability to provide care. And despite the new reality, many entities are still protecting the wrong thing.

We’re spending valuable resources protecting technology and applications but failing to protect the people and the processes essential to operate the environment of care. This is no longer just a technology problem: the real difference will be felt changing the actions of the organization and its entire ecosystem, with every workforce member working in concert to defend, respond, and recover from attacks.

When we all embrace the idea that cyber safety is patient safety.  When that cultural shift becomes integral to the healthcare sector as whole – I’m convinced we’ll begin to see benefits and to move from critical to stable condition. That means creating and maintaining an environment where cybersecurity becomes a public health and patient safety standard.

It will take a lot of work and a holistic commitment from the officers and leaders of the organizations we are a part of, alongside help from our governments, the caregivers on the front lines, and the public being more aware of the risks at hand. But this cultural shift will help in detecting and preventing these threats, while making it less difficult to respond and recover without the impact and the materiality of today’s attacks.

“I envision an environment where cybersecurity becomes a public health and patient safety standard. A holistic commitment from the officers and leaders of the organizations we are a part of, help from our governments, the caregivers on the front lines, and the public being more aware,” said Groome.