This Week Health

If we had to troubleshoot just a few devices every once in a while, our hospital systems would run as smooth as butter, right? 

But, when missing devices, security issues, and friction caused by interoperability hits, we can’t expect a smooth operation.

This webinar will answer many questions surrounding the devices integral to keeping patients healthy. Joining us to talk about managing your unmanaged devices are guests Andrew Sutherland, CISO for Children’s Hospital of Los Angeles, Erik Decker, CISO for Intermountain Healthcare, and Jonathan Langer, COO of Claroty and Co-Founder of Medigate by Claroty. Understanding your device inventory can seem overwhelming, but these leaders will share what they have implemented and what can be next for your health system. Hear about the risk management techniques that they have found to manage the devices in their systems.

List of healthcare professionals and panelists speaking about risk management techniques surrounding unmanaged devices & how to obtain zero trust security.

 

Before the webinar, check out the Briefing Campaign on our channel, hitting on five major topics about unmanaged devices in healthcare. Speaker Samuel Hill from Medigate by Claroty sheds light on challenges surrounding devices in healthcare and what can resolve them. How do you build zero trust security? How do you assess your technology successfully? Merger & Acquisitions; How do you manage your devices? Do you know where your devices are? Our conversations cover all of these questions and more.

So many devices. So little oversight. Be the change and listen now to honest conversations propelling healthcare forward! Find solutions and learn how your hospital system can progress without the everyday hindrances to which you’ve become accustomed.


We're sorry; you are unauthorized to view this page.

What is Operational Technology? OT are the systems that keep hospitals running. Like Medical devices, these critical infrastructure items have unique characteristics that make securing them difficult. So, what are the common OT devices found in a hospital and what should we do about them? What is OT Security? Practices and technologies used to (a) protect people, assets, and information, (b) monitor and/or control physical devices, processes and events, and (c) initiate state changes to enterprise OT systems. Talk to Medigate about their OT security solutions to help keep you operating https://www.medigate.io/demo

This is episode 5 of 5 in our series “Challenges and Solutions to Unmanaged Devices in Healthcare”. Other topics we cover include Visibility for Zero Trust, Mergers and Acquisitions, Holistic Assessments, and Improved Device Effectiveness. Thanks for listening! 

Sign up for our webinar: Challenges and Solutions to Unmanaged Devices in Healthcare - Thursday September 8, 2022: 1pm ET / 10am PT

Every hospital has thousands of devices that cost thousands of dollars each, yet most of them are idle around 52% of the time. On top of all that, the nursing units are always asking for more! Having an up-to-date inventory, tracking utilization, and monitoring physical location can significantly improve effectiveness and will return millions of dollars back to the operational budget. To learn more about Clinical Device Efficiency, visit https://www.medigate.io/cde

This is episode 4 of 5 on our series “Challenges and Solutions to Unmanaged Devices in Healthcare”. Other topics we cover include Visibility for Zero Trust, Mergers and Acquisitions, Holistic Assessments, and Securing OT Assets. Stay tuned for more. 

Sign up for our webinar: Challenges and Solutions to Unmanaged Devices in Healthcare - Thursday September 8, 2022: 1pm ET / 10am PT

What kind of problems arise as a result of starting on a security strategy without doing holistic assessments? We're all trying to improve cybersecurity across healthcare. It’s a never ending job, unfortunately, but knowing where you’re at across different mile markers or points in time, can really help guide you. How do you acquire the data that will allow you to evaluate and refresh your strategy as needed? What processes are in place? How do you bring new devices onto your network? How do you apply or enforce security policy? What processes can you vet or challenge? What technology do you have? Are you missing some key components or are there components that are not talking to each other? From a holistic standpoint, using an external third party can really help to find the gaps. That’s where Medigate comes in. They can help you to identify and quantify all of the threats and then manage those threats within and adapt your existing management structure. https://www.medigate.io/services

This is episode 3 of 5 on our series “Challenges and Solutions to Unmanaged Devices in Healthcare”. Other topics we cover include Visibility for Zero Trust, Mergers and Acquisitions, Improved Device Effectiveness, and Securing OT Assets. Stay tuned for more. 

Sign up for our webinar: Challenges and Solutions to Unmanaged Devices in Healthcare - Thursday September 8, 2022: 1pm ET / 10am PT

One of the hardest things to achieve in business is a Merger and Acquisition. Even with a successful M and A, there’s always challenges. There's always stress. And so many questions that must be asked. What technology standards do they operate with? What devices do they have in their environment? What best practices do they adhere to? I think everybody in the world assumes that the CIO knows all this and can identify all the devices and knows what patch version and what risk level etc. But that is not always the case. Connected devices bring complicated risks, so Medigate created a single platform to orchestrate and integrate HDO security throughout your environment, so you can connect with confidence. https://www.medigate.io/demo

This is episode 2 of 5 on our series “Challenges and Solutions to Unmanaged Devices in Healthcare”. Other topics we cover include Visibility for Zero Trust, Holistic Assessments, Improved Device Effectiveness, and Securing OT Assets. Stay tuned for more. 

Sign up for our webinar: Challenges and Solutions to Unmanaged Devices in Healthcare - Thursday September 8, 2022: 1pm ET / 10am PT

Visibility is the foundation for zero trust. The reality is that threats in healthcare are getting much more complex. There’s a much broader attack surface. It’s extremely hard to know where all of our devices are. It was hard to know where they were before, which brings us to the question, is zero trust even achievable in healthcare? What does visibility look like and what does it mean? If you don't know what devices are out there or if you're not certain that they’re connecting to your network then it's really hard to apply any security techniques against those devices. Medigate created a single platform to help with visibility and understanding of what devices are there and what’s connecting to the network, so you can connect with confidence. https://www.medigate.io/

This is episode 1 of 5 on our series “Challenges and Solutions to Unmanaged Devices in Healthcare”. Other topics we cover include Mergers and Acquisitions, Holistic Assessments, Improved Device Effectiveness, and Securing OT Assets. Stay tuned for more. 

Sign up for our webinar: Challenges and Solutions to Unmanaged Devices in Healthcare - Thursday September 8, 2022: 1pm ET / 10am PT

If we had to troubleshoot just a few devices every once in a while, our hospital systems would run as smooth as butter, right? 

But, when missing devices, security issues, and friction caused by interoperability hits, we can’t expect a smooth operation.

This webinar will answer many questions surrounding the devices integral to keeping patients healthy. Joining us to talk about managing your unmanaged devices are guests Andrew Sutherland, CISO for Children’s Hospital of Los Angeles, Erik Decker, CISO for Intermountain Healthcare, and Jonathan Langer, COO of Claroty and Co-Founder of Medigate by Claroty. Understanding your device inventory can seem overwhelming, but these leaders will share what they have implemented and what can be next for your health system. Hear about the risk management techniques that they have found to manage the devices in their systems.

List of healthcare professionals and panelists speaking about risk management techniques surrounding unmanaged devices & how to obtain zero trust security.

 

Before the webinar, check out the Briefing Campaign on our channel, hitting on five major topics about unmanaged devices in healthcare. Speaker Samuel Hill from Medigate by Claroty sheds light on challenges surrounding devices in healthcare and what can resolve them. How do you build zero trust security? How do you assess your technology successfully? Merger & Acquisitions; How do you manage your devices? Do you know where your devices are? Our conversations cover all of these questions and more.

So many devices. So little oversight. Be the change and listen now to honest conversations propelling healthcare forward! Find solutions and learn how your hospital system can progress without the everyday hindrances to which you’ve become accustomed.

 

Experts Explain How to Navigate the Healthcare Cybersecurity Landscape for a Safer Future

October may be National Cybersecurity Awareness Month, but the 2021 cybersecurity landscape has health IT leaders need to be wary of cyber threats every minute of every day. 

This Week in Health IT founder and host Bill Russell first likened the healthcare cybersecurity landscape to a war, in 2018. If a foreign warship were anchored off the American coast, the US government would take action. Likewise, they must consider cyber threats. This was as the industry was still processing the back-to-back blows delivered the previous year by notorious cyberattacks “WannaCry” and “NotPetya.” Both attacks were sophisticated cyber-weapons that wreaked havoc on health systems.

Increased Urgency in the 2021 Cybersecurity Landscape Elevates Conversation in Healthcare IT

Even before the uncertainties brought about by the novel coronavirus, health systems were still struggling to fill out their cybersecurity teams. Now, these challenges have continued. Meanwhile, COVID-19 has brought about higher vulnerability as online threats grow in volume and complexity every year. According to Forbes, the number of hacking incidents levied against health systems jumped by 42% from 2019 to 2020. These statistics marked the fifth year straits of increased healthcare data breaches.

Health systems continue to fight to keep safe in the fraught health IT cybersecurity landscape. Leaders must collaborate to bolster their understanding of the threats, vulnerabilities, and possibilities, postured Censinet's Chris Logan during a Newsday interview.

"We're all in the same fight. So at the end of the day, we all need to start working together to solve these problems. It's not about the haves and the haves nots. It's how can we share that best practice? How can we share those controls? I think that's going to be critical moving forward to solve the problem," he said.

As bad actors have increased their attacks, the cybersecurity conversation has continued to garner attention and urgency. As Cybersecurity Awareness Month comes to a close, This Week in Health IT gathered perspectives from some of the leading minds in health IT. Experts have weighed in on the cybersecurity landscape and actionable insights about how to navigate healthcare cybersecurity in 2022 and beyond.

Facing the Staffing Challenges for Cybersecurity Understanding

David Muntz This Week in Health IT

David Muntz, Principal at StarBridge Advisors

While much has changed in the wider world since Russell made his first “war” comparison, health IT continues to grapple with the same obstacles. If healthcare cybersecurity is a war, the good guys need more recruits—and Russell’s guest on that 2018 episode, David Muntz, knows where to look.

Lack of personnel may be a big issue, but Muntz, a principal at Starbridge Advisors, explained that it’s easy to find IT professionals with the technical skills for cybersecurity. It’s harder to find prospective staff who understand the nuance of healthcare cybersecurity landscape—and are passionate about it. 

Muntz emphasized the value of homegrown health IT talent. He explained how it’s sometimes better to leverage existing clinical knowledge to develop valuable cybersecurity team members. 

“I’ve got plenty of people with technical skills,” Muntz said. “We populate our projects with the best of the people in the clinical areas. Once they go into healthcare IT, they aren’t touching one person at a time—they are touching hundreds or thousands at a time, and it’s easy to draw them over. You don’t need as much technical skill as you need human skills.”

Awareness and Communication Are Top Cybersecurity Priorities

To tackle the ever-growing threats that health systems face, it isn’t enough to have a fully-staffed IT department. Experts like Muntz, Russell, and Sirius Healthcare's Cybersecurity First Responder Matt Sickles all agree that homegrown IT staff are an advantage, provided they are committed to their work.

Matt Sickles This Week in Health IT

Matt Sickles, Cybersecurity First Responder at Sirius Healthcare 

Dedicated IT teams will foster success by truly caring about the health of the organization, Sickles explained. These team members have “skin in the game.” They stand opposite to contractors who “get parachuted in to tell the CEO they’ve done a bad job” on security. 

The optimal factor of success is constructive communication, Sickles explained. Staff must be willing to express the severity of the threats staring down their health system and receive attention when suggesting preventative measures.

“Say it out loud, say it often, repeat it. And make it part of the beginning of every discussion related to information,” Sickles said. “If it is information technology or information security, cybersecurity just has to be omnipresent in the conversation.”

During his tenure as a CIO, Russell explained how the chief security officer was designed to be a thorn in his side. Russell encouraged his CISO to consistently pipe up to alert the organization of deficiencies in their security.

“His role is to get in my face and say, ‘We’re not making enough progress in these areas. How are we going to move the needle?’“

Diligence Decreases Cybersecurity Vulnerabilities

Mitch Parker, CISO for Indiana University Health, was quick to answer  what he perceived to be the largest gap in health cybersecurity.

Mitch Parker, Indiana University Health This Week in Health IT

Mitch Parker, CISO Indiana University Health This Week in Health IT

“Due diligence,” he said.

Health leaders should pay attention to the third parties that they use to provide IT services, he added. The risks are manifold. On one hand, a a cybersecurity breach can bring down clinical applications from third party providers if their services are compromised.

A more recent example illustrates the other risk: direct infection passed through a third party. During the SolarWinds breach in 2020, Russian hackers exploited vulnerabilities in the third-party software to gain access to victims ranging from US government agencies to the California Department of State Hospitals.

Parker believes true diligence means incorporating security teams into the procurement process. It can prevent uninformed decisions or panic-buying, especially in the wake of a newsworthy breach. 

“I think the unintended consequence of SolarWinds has been that a significant number of third-party vendors took their marketing materials, added the word ‘SolarWinds’ to them. And they are now making a lot of money off of CIOs that don’t know any better,” Parker said.

Cybersecurity staff should be involved in vetting potential IT partners, Parker posited.

The Simplest Cybersecurity Fixes Go a Long Way

Ryan Witt This Week in Health IT

Ryan Witt, Managing Director and Resident CISO at Proofpoint

Attacks that have compromised trusted third-party enterprise vendors, as the NotPetya attacks did, can have catastrophic consequences that are out of the health system’s control. However, most attacks are less sophisticated. Ryan Witt, Managing Director and Resident CISO at Proofpoint, insisted that health systems address the easy routes first.

“I would argue the starting point would be your email gateway. People are essentially being attacked on email or other messaging channels,” Witt said. “You need to have a sophisticated gateway that blocks about 95% of the email that comes your way, so you’re keeping almost all of the bad email away from your users immediately. You’re not forcing them to make a judgment call.”

How to Fight Cybercriminals Before They Reach Your Inbox

In addition to filtering outside emails, Witt suggested the use of domain-based message authentication, reporting & conformance (DMARC) capabilities to relieve the pressure on employees. These tools would allow health systems to verify the domain that users are sending their emails from, minimizing the risk of coworker impersonation that can result in serious data breaches.

Equipping Staff to Understand Cybersecurity Prevention

Julie Hubbard This Week in Health IT

Julie Hubbard, VP of Enterprise IT and Information Security at AMN Healthcare

Julie Hubbard, VP of Enterprise IT and Information Security at AMN Healthcare, agreed with Witt’s suggestions, but also endorsed reactive human intervention.

Her organization experiences a near-miss by hackers after they attempted to impersonate her company’s CFO. As a response, her organization created new rules. Team members must now only execute certain actions through verbal confirmation.

“We put a new control in place that basically said that no wire transfer would ever be approved via email,” she said. “We always work to validate that the information we’ve received is legitimate—so take it out of the digital communications and literally pick up the phone.”

Understanding the IT Security Landscape to Inform Prevention

Karl West, the Chief Information Security Officer for Sirius Healthcare, said that one of the simplest prevention techniques is staying up to date with the latest healthcare IT patches. Health systems must treat cybersecurity measures as preventative measures. Cybersecurity teams must enlist preventative tactics. Health leaders must treat these measures as the equivalent of a vaccination effort.

“What makes a system susceptible as if they forget to get their vaccines. This is not political and it’s not moral. Just get the vaccine and vaccinate your systems,” he said. “It’s called patch management. You need to be doing that.” 

Understanding the Entire Timeline and Potential of a Cybersecurity Attack

Even with strong preventive measures, incidents will continue to happen. West has understood that it’s vital that leaders take a measured approach to response and recovery.

“When you get hit, you must know the difference between detection, response, and recovery,” he said. “They are not the same. They’re not even close to the same.”

West has often seen a failure in understanding the full cybersecurity landscape. Organizations detect a breach and immediately fly into their response, not realizing that the strand they have detected may just be the tip of the iceberg. 

Health Systems Must Secure the Network Before Moving into Recovery

Karl West Intermountain This Week in Health IT

Karl West, CISO at Sirius Healthcare

It may seem counterintuitive. However, he explained that it is better to pause for an analysis rather than launching into a hasty response and recovery effort. If an organization were to rush into response and recovery without fully understanding and eradicating the threat, they may find themselves facing a resurgent hack or malware operation. 

“Don’t move until you’ve completely identified [the threat] in a good shop,” West said. “You should be measuring how long it took to detect and know that you have the threat vector completely understood. Measure how long it takes to respond, how long to recover.”

Health systems can also "sandbox" their systems to help contain a threat, West explained. Health organizations often run “flat networks” that are easy for bad actors to traverse. By segmenting technologies within the health system into sets with strong firewalls between, providers quickly shut down infected systems to prevent the spread of a breach—and potentially avert a full-scale system outage.

Creating a 30-Day Cyber Breach Response Plan for Your Health System

Headshot of Brian Sterud, VP of IT, CISO, and CIO on This Week in Health IT, talking about his roles at a smaller health system

Brian Sterud, VP of IT, CISO, and CIO of Faith Regional Health

Other experts agree that long-term vision is vital to full recovery and future prevention.

“Everybody is prepared for the first 24 hours or less. Once you start getting past that threshold, things get a lot more complicated,” added Brian Sterud, who serves as both CIO and CISO at Faith Regional Health

Sterud has tasked his team with planning contingencies based on key questions.

“How would we operate? How do we get bills out the door? Make sure that patient care is first and foremost, and then make sure that we can get bills out the door.”

Health Systems Cannot Run the Risk of a Compromised Network

Failure to implement simple preventive measures can spell disaster for patients and health systems. Attacks that compromise clinical care are a clear affront to healthcare’s mission. Dr. Eric Quiñones, Chief Healthcare Advisor at World Wide Technology, noted that providers are also responsible for being good stewards of their patients’ private data.

Dr. Eric Quiñones,  Chief Healthcare Advisor at World Wide Technology

In the spring of 2021, mid-size provider Scripps Health in San Diego faced down a ransomware attack that forced many of their systems offline for three weeks. The incident cost Scripps a reported $113 million in lost revenue and left the health system legally vulnerable.

“It's very bad that any organization should be held to ransom and breached, but it’s another thing when information is actually stolen,” Quiñones said. About 147,000 patients had their health and financial information compromised in the attack. “It hurts [hospitals] from a credibility standpoint. There's that indirect cost as well. Do patients trust them now?”

The Potential of Legal Ramifications Against Health Systems

Patients have now filed class-action lawsuits against Scripps, alleging that the health system should have done more to thwart the attack and protect patient data.

Unfortunately, the story of Scripps is not a unique one. Its larger neighbor, UC San Diego Health, suffered a breach that lasted from the winter 2020 into spring 2021. That event compromised about a half-million patient records and also produced a pending class-action suit.

“This breach was preventable—had UC San Diego Health had the right data protection protocols in place,” the plaintiffs’ lawyers argue.

Building a Better Future for Healthcare Cybersecurity

Kristin Myers is the CIO of Mount Sinai Health System. She knows many bleak statistics about the 2021 cybersecurity landscape, but lists them without losing hope for the future of healthcare cybersecurity.

Kristin Myers This Week in Health IT

Kristin Myers, CIO at Mount Sinai Health System

“Twelve percent of all ransomware attacks are in healthcare, and downtime on average can be around 23 days,” she said. “Just think about being down for 23 days—you’ve got to be able to reduce the attack surface, but you also need to be ready in terms of an incident response. Looking at the backups, doing tabletop exercises with our executives, I think that is extremely important.” 

Today, Myers said there is widespread executive support for the cybersecurity operations at Mount Sinai. She’s also hopeful about a new CISO hire brought in from outside the industry. Once past the learning curve of healthcare, she believes outside cybersecurity experts can bring new perspectives and skills to fill the gaps in health IT.

Still, she has understood the road to a healthier cyber future won’t be seamless. Improvement depends on simple best-practices, systemwide buy-in, and realistic expectations.

“It’s a journey,” she said. “There’s not going to be perfection with cybersecurity, it’s a maturity journey that everyone is on.”

Twelve percent of ransomware attacks are aimed at the healthcare industry. As the IT conversation hones in on these risks, Kristin Myers, CIO at Mount Sinai, shared her plans for healthcare IT cybersecurity, digital solutions, and the patient experience.

Cybersecurity Preparation: Can Your System Survive 23 Days of Downtime?

Ransomware attacks are not minor inconveniences for health systems; recent successful breaches have taken down organizations for the better part of a month, if not longer. Systems should both reduce the attack surface and have a plan for incident responses, according to Myers. Downtimes after a breach average approximately 23 days, which is not accounted for in many response plans.

Kristen Myers, Mount Sinai This Week in Health IT

Kristin Myers, CIO at Mount Sinai

At Mount Sinai, the system has begun to work towards an effective, long-term cyberattack response plan. According to Myers, they have begun to prepare backups and conduct tabletop exercises with executives to prepare.

Myers also emphasized overall healthcare IT cybersecurity programs. Mount Sinai recently brought in a new CISO, Rishi Tripathi, from outside the healthcare industry. Currently, he has been assessing Mount Sinai's program maturity and governance. According to Myers, the healthcare industry has fallen behind other industries in cybersecurity maturity. This has made outside expertise and insight a valuable resource.

Governance and Support Needed for Program Measures

According to Myers, a combination of the CISO and Chief Risk Officer have utilized an enterprise risk management framework at Mount Sinai. They have listed cybersecurity as a major risk. By having a governance structure of consistent meetings, reports, and committees, there has been more awareness and support towards preventative measures.

"I have to say everyone is extremely supportive of the cybersecurity program. I think it's a journey. There's no perfection with cybersecurity and it's a maturity journey that everyone is on," she explained.

Challenges to Serving Patients Seamlessly

According to Myers, recent digital solutions have come together to create a seamless and frictionless patient experience.

"Our patients are really used to being able to have very easy experiences in other sectors, whether it's retail or entertainment and we need to be able to bring that to healthcare," she explained.

Knowing this, Mount Sinai began looking for solutions like CRM, referral management, texting solutions, and more. The goal is to provide strong, unfragmented patient experiences. This has proved challenging, as it has been difficult to bring the experience together. According to Myers, it has been a slow process.

Determining Priorities for Digital Solutions

Mount Sinai determined their priorities from a combination of operations, clinical informatics, digital governance, and outpatient experience teams. Additionally, having direct patient input for digital solutions is an invaluable resource.

Additionally, Myers has shaped her philosophy for build versus buy. She explained that determining useful solutions starts by going back to the application portfolio. By identifying existing functionality and the enterprise roadmap, a team can identify if there is a point solution or if one must be built.

An example of this is in a text-to-chat for patients and physicians. For example, the My Mount Sinai application will begin to integrate this digital solution after discovering one of their applications had the current functionality for it.

The Future of AI-Enhanced Medical Imaging

As an academic medical center, innovation is expected. According to Myers, the Dean of their institution has newly appointed a department head for a division over artificial intelligence. As CIO, Myers has begun collaborating with the division with AI imaging. By combining clinical, claims, and social determinant data, there is a way to pinpoint outreach efforts for patients.

Currently, there are predictive models in place, and there is a desire to continue expanding its clinical data science team.

According to Myers, the system has begun to build an enterprise data strategy. This will serve as a foundation, providing additional self-service tools for groups across the health system.

"I think that we have a lot of data assets at Mount Sinai but we want to bring them all together and, as a research institution, make it easier for our researchers to get access to the data appropriately," Myers said.

Myers Sets Healthcare IT Priorities for 2022

Mount Sinai has begun to look across data centers post-pandemic to prioritize consolidation and an overall cloud strategy. According to Myers, there is a need for a multi-cloud strategy to provide various tools for genomics. The system will continue to stay multi-cloud. They have begun analyzing for a primary vendor to transition a majority of its business and clinical applications into.

Myers included data center facilities, cloud strategy, business continuity, and disaster recovery as upcoming priorities.

Beyond this, there are other transformation programs currently in the works. Mount Sinai now has  live HR payroll for Oracle Cloud. Therefore, the system must move forward with financials, supply chain, access, and hospital billing. This has been a significant undertaking, according to Myers.

As they continue to roll out Epic, Mount Sinai has begun considering a unified communications strategy for its nurses and corporate team members. According to Myers, the cloud could potentially replace a number of telephones to streamline the number of devices.

"There's a lot going on. I'm sure there are at every institution. But again, cyber and digital are up there, as well as our enterprise data strategy, which we've been very much focused on and got funding for," she said.

Amplify great thinking to propel healthcare forward and raise up the next generation of health leaders.

© Copyright 2022 Health Lyrics All rights reserved