Health Tech

What Will It Take to Improve Healthcare Cybersecurity?

During a panel discussion at MedCity News’ INVEST Digital Health conference, three healthcare leaders shared their expert insight on what needs to change in order to improve the industry’s cybersecurity strategy.

From left to right: Theresa Lanowitz, Chief Cybersecurity Evangelist at LevelBlue; Andrew Molosky, President and Chief Executive Officer at Chapters Health System and CareNu; Ben Schwering, Chief Information Security Officer at Premier, Inc; John Mowery, Vice President and Chief Information Security Officer at Houston Methodist

Healthcare leaders are finally starting to take cybersecurity off the back burner, with most provider and payer organizations ramping up their spending in this area in the midst of proliferating cyberattacks.

During a panel discussion held Wednesday at MedCity NewsINVEST Digital Health conference in Dallas, healthcare leaders shared their insight on what needs to change in order to improve the industry’s defense posture and resilience to increasing threats.

There needs to be an organization-wide culture of awareness

presented by

When it comes to cybersecurity, a company is often only as strong as its weakest link, pointed out Andrew Molosky, CEO of Tampa-based Chapters Health System as well as its subsidiary CareNu, which focuses on value-based care in the Medicare Advantage space.

One employee opening a phishing email could be all it takes for a cybersecurity disaster to strike, so healthcare organizations must build a culture of cybersecurity awareness among all employees, he said.

“We have clinical protocols, financial protocols and technological protocols for all our environments. If you have the notion that for some reason cybersecurity is a task, or that it’s just a department, or that it’s somebody else’s problem — you’re already off to a bad start,” Molosky declared. “When everybody wearing a name badge for the organization in any capacity recognizes this as being just as critical as the procedures or as the pharmaceuticals or as any other component of the medical delivery, then all of a sudden you have an actual cultural awareness.” 

In order to improve their defense posture, healthcare organizations need to make sure that all employees have at least basic cybersecurity training, he noted. In his view, cybersecurity can’t be viewed as a specialized practice — it must be a core consideration in the organization’s daily operations.

presented by

New tech must be built with a high regard for cybersecurity

Healthcare organizations are adopting new technologies at a rapid rate — a report released this week by Bain & Company and KLAS Research showed that three-quarters of the nation’s providers and payers say they have increased their tech and IT spending over the past year.

With all this new technology also comes additional risks, noted John Mowery, chief information security officer at Houston Methodist

“We can’t manage the deluge of the innovation that’s coming in, nor the immaturity of the security of those [tools]. That’s a tidal wave that we can’t manage,” he declared.

As new solutions continue to enter the market, the industry needs to come together to ensure these tools are being built with a security-first mindset, Mowery said.

He also noted that it’s important for hospital leaders to stay engaged with their innovation ecosystem and try to be aware of all new technologies that are being deployed within the organization.

Oftentimes, a new tool will be introduced in a physician network or specialty group, and then the hospital’s cybersecurity leaders won’t find out about it until it’s nearly installed, he said.

“That creates challenges and risk for the organization, but also it increases the burden on us, because we now have to go figure out how to remediate all of that risk,” Mowery explained.

Maybe healthcare needs some more cybersecurity leaders from outside the industry

Healthcare organizations looking to build out their cybersecurity programs should look for leaders with a diversity of experience, recommended Ben Schwering, chief information security officer at Premier.

“A lot of times when I talk to healthcare organizations, or I see job postings for security leaders or engineers, I’ll always see ‘must have 10+ years in healthcare’ or ‘must have 25 years in healthcare.’ I don’t agree with that.  I’d much rather see someone with some diverse experience come in because they will look at things in a new way,” he explained.

Leaders who come from outside the healthcare world will often flag things that might go unnoticed by people who have been hyper-focused on healthcare for their entire careers, Schwering noted.

Photo: Nick Fanion, Breaking Media