Have you ever noticed how rare it is to have proactive information security?
For urgent incidents, there is a 24/7 toll free phone number. For data breaches, there are timed responses to each stakeholder. But these are only relevant after the fact.
In Quality Improvement, we talk a lot about the dangers and frustrations of reactive problem management, where the team is aways putting out fires rather than planning ahead for success. And the stakes are high in Healthcare Information Security with the FBI warning that cyber-terror would be ramping up.[1]
The cost of a healthcare cyber incident is also ramping up. As IBM noted in the “Cost of A Data Breach Report,” the cost of the studied breach in healthcare reached $11 million last year, a 53% increase since 2020.[2]
These breaches cause lost work hours, expensive consultations, legal and compliance fees, and too often, result in damages that shutter hospitals despite a community’s need for their services.[3]
Today, my quality improvement recommendation for healthcare information security is to provide proactive advisor lines for employees. It is important to provide the report-an-incident line to ensure prompt response to critical incidents, but it is possibly even more important to prevent such incidents from occurring.
There are high-risk moments in information security, such as mergers, acquisitions, data transfers, full-scale migrations, and vendor changes.[4] Prior to events, information security officers can provide critical design advice to protect data and ensure that employees are aware of risks and pitfalls, safeguarding the business as well as our patient’s trust.
There is also a need for cybersecurity consulting services to provide advance decision-making guidance for business managers rather than chasing problems when the system is already locked up in a ransomware attack.
What do you think? If it saved your system $11 million, would you contract with a cybersecurity advisor line?
[1] McKeon, Jill (Feb. 10, 2023). HHS, FBI, CISA Warn of North Korean State-Sponsored Cyber Threat Actors Targeting Healthcare. HealthITSecurity. https://www.healthitsecurity.com/news/hhs-fbi-cisa-warn-of-north-korean-state-sponsored-cyber-threat-actors-targeting-healthcare/.
[2] Spearie, Steven (Sept. 1, 2023). HSHS chief executive confirms system-wide outage was caused by cybersecurity incident. The State Journal—Register. https://www.sj-r.com/story/news/healthcare/2023/09/01/hshs-breach-due-to-cybersecurity-incident-system-acknowledges/70744543007.
[3] Kirwan, Hope (Jan. 24, 2024). Eau Claire, Chippewa Falls leaders say news of hospital closures shocked communities. Wausau Pilot & Review. https://wwww.wausaupilotandreview.com2024/1/24/eau-claire-chippewa-falls-leaders-say-news-of-hospital-closures-shocked-communities.
[4] Diaz, Naomi (Nov. 17th, 2022). Why healthcare mergers and acquisitions are a cybersecurity risk. Becker’s Health IT. https://www.beckershospitalreview.com/cybersecurity/why-healthcare-mergers-and-acquisitions-are-a-cybersecurity-risk.html.