The current risk environment for hospitals and health systems is evolving rapidly, and the changing threat environment blurs the lines between information security and patient safety, requiring each discipline to expand its scope. The C-suites in healthcare organizations need to be on top of changing risk in order to best protect and insure their business.
“Fundamentally, the attack surface has changed such that it is not just about an information system like the EHR, which is bad enough if someone hacks in and changes my blood type and I need surgery the next day and need a transfusion. That is one attack surface,” said Bob Chaput, CEO of Clearwater Compliance, a HIPAA and cyber-risk management solutions firm. “The other matter of the attack surface now is devices that either connect to us like an infusion pump or not just connect to us but are implanted in us like defibrillators and pacemakers, all of which have wireless connectivity as part of the Internet of Things.”
Healthcare executives must understand that these medical devices are susceptible to the same types of attacks as information systems, which ups the risk, Chaput added.
Privacy and security risk is affecting insurance and in a profound way.
“Take self-insurance through a captive insurance plan,” Chaput said. “When you become large enough as in some of our top 1,000 health systems, where you are paying enormous prices for professional medical liability insurance, there are provisions in IRS regulations that allow a large health system to set up its own insurance company and basically self-insure. Executives who run these captive insurance plans are seeing privacy and security risk bleed over into professional liability and medical malpractice.”
In other words, there could be a negligent matter as it relates to someone hacking into the information system or infusion pump, and then the matter becomes a business risk management issue, which is way beyond the well-intended work of the CIO and the CISO, Chaput said.
“We are now talking about the chief risk officer, general counsel, the CFO, clearly talking about the clinicians themselves, all of which is to say this is way bigger than an IT problem,” he said. “It’s a broad business risk management issue.”
In a day in the life of a CEO of a health system of any size, he or she comes to work worrying about four things: financial stability, satisfaction among stakeholders, quality/patient safety, and career risk, Chaput said.
“What we are seeing is there is a connection between these four strategic matters and this matter of a compromise of PHI or worse yet a compromise of a biomedical device,” he said. “The lines are blurring because such a compromise can affect financial solvency; look at Anthem settling a batch of class action lawsuits for $115 million. And it can affect stakeholder satisfaction, quality of care, and career risk.”
So what can healthcare C-suite executives do to best manage risk in this changing environment? Chaput has a variety of suggestions.
“The single biggest action on the part of the executive team needs to be making the right decision about how they are going to do information/cyber-risk management,” he said. “That is a strategic call. No. 1, getting educated enough to make that decision. No. 2, with the board, articulate a set of governing principles upon which this work will be undertaken and use that as a platform to communicate to the organization, that we are going on a journey, and this is not a project with a start date and end date, this is a new important business process that has to become a core competency.”
And No. 3, formally charter a cross-functional team with clinical, operations, legal, finance, IT, security and others, he added.