October 2, 2024: In this Today in Health IT episode, Kate Gamble and Sarah Richardson discuss the critical importance of cybersecurity in healthcare. Cybersecurity has become imperative for businesses with increasing threats like ransomware and data breaches. The discussion highlights the need for integrating security into daily operations, ensuring compliance, managing third-party risks, and fostering a culture of cybersecurity awareness across organizations. They also explore human error and the most significant vulnerability and provide practical tips for healthcare leaders to protect sensitive patient data.
01:08 The Growing Importance of Cybersecurity
04:04 Real-World Impacts and Stories
06:28 Strategies for Effective Cybersecurity
Donate: Alex’s Lemonade Stand: Foundation for Childhood Cancer
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
đź“Ť Today in Health IT, we're discussing cybersecurity, a business imperative for today's digital landscape. My name is Kate Gamble. I'm Managing Editor for This Week Health, where we host a set of channels and events dedicated to transforming healthcare, one connection at a time. I've spent the last 12 years interviewing healthcare leaders, and I'm excited to bring that knowledge into this community. In philanthropy, we partner with Alex's Lemonade Stand. We've raised nearly $180,000 thanks to the generosity of our partners and community. Join us by visiting our website, and in the top right-hand column, you'll see the logo for our Lemonade Stand. Click on that and give today. We hope you'll share this podcast with a friend or colleague. Use it as a foundation for daily or weekly discussions on the topics that are relevant to you and your industry. They can subscribe wherever you listen to podcasts.
Today we're discussing cybersecurity, a business imperative for today's digital landscape. Cybersecurity is no longer just a technical issue—it's a critical business imperative. With the rise of remote work and cloud computing, companies face increasing cyber threats such as ransomware and data breaches, making cybersecurity a strategic priority. The article argues that a holistic approach, integrating people, technology, and processes, is necessary to foster a culture of security awareness. Organizations that treat cybersecurity as a business strategy are better positioned to build trust, ensure operational resilience, and support long-term innovation and growth.
We've all seen the stories of breaches happening at an alarming rate, affecting entire organizations. And we've heard people say that cybersecurity is everyone's job. Today, I'm joined by Sarah Richardson, president of This Week Health 229 Executive Development Community. Thank you, Kate. I love today's conversation because, as you and I know well, cyber is something we talk about every day, all the time. People often say, "Oh, it's AI, a flood of information." And I'm like, yes, and remember that cyber is a component of all our lives, every day.
Absolutely. When you look at ransomware and data breaches, these are huge threats. It's only become worse in recent years with so much remote work and cloud adoption. And it's scary because this isn't going away anytime soon. Of course, it's scary. How many notifications did you get from vendors this year? And they weren't necessarily healthcare organizations. When you think about the fact that your data is vulnerable and susceptible to being compromised all the time, and then throw in the layer of patient data protection—managing vast amounts of sensitive information—it really hits home. Healthcare is truly local.
Yeah, and as we've heard, cybersecurity is patient safety. The implications for CIOs and leaders go beyond ensuring operational resilience—they also need to ensure compliance with regulations like HIPAA. It gets complex when you factor in compliance regulations. It does. Last week, during one of our city tour dinners, one of our partners shared a story about why she moved into healthcare. She read about an outage where an ultrasound couldn't be performed because the systems were down, and the hospital missed detecting that a baby had an umbilical cord wrapped around its neck. The baby died before birth.
Stories like that are tough to hear because they show that when breaches, ransomware, or outages happen, people can die. None of us take that lightly. We may not be the ones providing care, but how do we, removed from day-to-day patient interaction, still appreciate operational continuity? It means ensuring services aren't disrupted, care isn't delayed, and understanding how HIPAA and other regulations push initiatives up the governance chain. New systems introduce risks, and we have to consider their impact on recovery time, interoperability, and patient safety. When we acknowledge our responsibility for people's lives, we ensure the right conversations are happening and appreciate the entire continuum of what systems provide.
That's a powerful story, and it shows how much these issues affect patient care. It all comes back to patient care. Another issue that comes up is third-party risk management. Vulnerabilities often come through third parties, and that's a struggle for CISOs and CIOs. A lot of that comes down to vendor management. How do you approach that?
I ensure there's a dedicated workforce for contracts, supply chain, and vendor management. Third-party risk agreements should be reviewed often because new events can change the landscape. Cybersecurity programs, especially for supply chains and vendor contracts, need risk, legal, and leadership at the table. Robust cybersecurity tactics help cut through bureaucracy, and you don’t need a massive organization to afford it. In my last role, I hired a contract management specialist, and he paid for himself within six weeks by reviewing big contracts up for renewal. He saved us $6 million in the first month and a half. I’d recommend everyone have a person or team dedicated to this. If you can’t hire a full-time employee, hire a contractor—someone who knows what they’re doing can make a huge difference.
That’s amazing, and then there’s training. Ensuring people are taking the right steps to avoid mistakes is crucial. Leadership is important, but so is culture—making cybersecurity part of the organizational culture. Absolutely. Human error is our biggest vulnerability today, whether it’s deep fakes, spear phishing, or people giving up their credentials. People aren’t hacking systems—they're logging in through access gained from social engineering.
When organizations conduct staged attacks or training exercises, it helps people learn. It’s important to create an environment where people feel comfortable saying, "I fell for this phishing attempt, but here's how we can improve." I get fake emails and texts every day—it’s easy to fall for something if you’re not vigilant. We also need to educate patients, especially vulnerable groups like seniors. Our responsibility spans the entire continuum—educating patients and employees, staying curious, and, as Drex says, staying a little paranoid.
I love that, and I like what you said about it not being punitive. That makes a big difference. People are more likely to come forward and learn from their mistakes if they don’t fear punishment. If you’re not afraid of making a mistake, you’ll become passionate about keeping yourself and your organization safe.
Thank you, as always, Sarah. 📍 And don’t forget to share this podcast with a friend or colleague. Thank you for listening.