Nearly every day, the news brings word of another data breach at a major corporation. Hospitals and health systems are not immune to this danger, and more importantly, they are part of the United States’ critical infrastructure — that is, their systems and assets are considered so vital to the country that their impairment as a result of a cyberattack would pose a threat to the nation’s public health and safety.
Although trustees are not involved in day-to-day management and operations, they still have the responsibility to understand, at a high level, the hospital’s cybersecurity risks and vulnerabilities as well as leaders’ security and response plans. In some cases, information is at risk, which could result in destruction or corruption of patient or billing records or personnel files, disruption of the revenue cycle, and theft of financial and intellectual property. Hospital leaders must take steps today to secure their organizations’ information and develop the capability to share data seamlessly in a protected manner.
Hospital risks also may involve patient safety or quality of care. For example, in June 2013, the Food and Drug Administration highlighted this aspect of cybersecurity when it issued a recommendation that manufacturers and health care facilities implement appropriate safeguards to reduce the risk of medical device failure due to cyberattack. In addition to creating specific damages like those described, an attack could hurt the hospital’s reputation.
The National Institute of Standards and Technology last October published a draft Guide to Cyber Threat Information Sharing that highlights the importance and benefits of information sharing among organizations and different methods for setting up information-sharing groups.
The health care sector has been one of the early adopters of information sharing and has set up the National Health Information Sharing and Analysis Center. Other groups, such as HITRUST, also provide guidance. These types of organizations provide members with access to a secure information exchange infrastructure to allow for the free flow of actionable intelligence and incident response information, as well as reports detailing best practices for the industry.
As threats mount, legislation mandating information sharing for owners and operators of critical infrastructure likely will pass either this year or next year. We encourage you to consider the benefits of joining an information-sharing endeavor. You can find more information, as well as other cybersecurity resources, at the American Hospital Association’s website at www.aha.org/cybersecurity.
Fred Gattas Jr. (firstname.lastname@example.org) is COG chair and a trustee of St. Jude Children’s Research Hospital in Memphis, Tenn.