If hospitals want to reduce the odds of major disruptions from ransomware attacks, Steve Cagle says they need to understand the risks.
Cagle, the CEO of Clearwater, a cybersecurity company, recently spoke with Chief Healthcare Executive®. He says hospital boards and their CEOs must be engaged in cybersecurity, and that healthcare organizations must engage in an ongoing effort to improve their defenses.
“And at some point, there’s a line that has to be drawn somewhere,” Cagle says. “How much risk are we willing to accept?”
Health systems looking to bolster their cybersecurity defenses are likely going to have to invest more money, and Cagle acknowledges that can be a difficult choice for hospitals.
Hospital leaders need to ensure that cybersecurity is an organization-wide priority, and it can’t be relegated to information technology departments, Cagle suggests.
Hospitals need to do more than implement tools to deter cyberattacks, Cagle says. They need to test those defenses.
“We see a lot of controls, a lot of tools that have been put in place,” Cagle says.
“What we haven’t seen enough of is actually testing those putting those to the test to see if they work,” he adds.
Cagle calls for continual testing of cybersecurity tools and training of employees.
“That’s how organizations will get better, is understanding where where the high risks are, focusing efforts there, putting the controls in place, testing the controls, making sure that you’re raising awareness throughout the organization, so that people are aware of those situations that get through right, the phishing email, the social engineering, and just leveraging all the resources in the most optimal way to to reduce risk,” he said.
Healthcare organizations have demonstrated a greater awareness of the risk of cybersecurity in recent months, although they still have work to do, Cagle says. He’s especially encouraged by the greater focus on the risks of cyberattacks to patient care, including the disruption of electronic health records and other critical services.
“It’s really a positive thing to see that we are getting that recognition of how important cybersecurity is and how much it is directly linked, not only to financial harm, but also to potential patient safety, and harm to patients,” Cagle says.