HealthTech joined HIMSS21 virtually for innovative digital programming from the Healthcare Information and Management Systems Society.
The healthcare IT conference and exhibition went hybrid in August — with sessions happening live in Las Vegas and streaming online — after its cancellation in 2020. Topics included emerging technologies, data management, digital transformation, cybersecurity and virtual care.
“The biggest issue that we all had to deal with was just the element of surprise,” said Kathy Hughes, vice president and CISO of Northwell Health in New York, during a digital session on securing the hybrid health system. “How do we continue to operate in this world? How do we continue to be productive? How do we communicate with each other more effectively, because you can’t just walk down the hall now and speak to people? How do we collaborate?”
Fortunately, Hughes’s department had already planned for remote work before the pandemic, in preparation for weather-related emergencies. When the pandemic hit, it was a matter of increasing capacity and communicating and extending that model to other areas of the organization, she said. Now, the pressure is on as healthcare providers become more frequently targeted in cyberattacks, she added.
During a panel discussion on cyberthreats to healthcare, Adm. Michael S. Rogers, former National Security Agency director and former head of the U.S. Cyber Command, offered advice on whether to pay a ransom during an attack.
“I always say, ‘Let’s step back.’ The first thing I say is, ‘What does the law say?’” he said, adding that legal counsel should always be involved.
Healthcare systems need to plan ahead for a ransomware crisis and develop their own decision-making criteria, he said, noting that a blanket “don’t pay” response won’t apply to every situation.
When it comes to preparing for a cyberattack, Rogers stressed the importance of changing the culture around cybersecurity and doing more than just “throwing money” at the problem by investing in newer technologies. Organizations should start with the basics, such as understanding their own network structure or endpoint topography.
“It’s about resilience, resilience, resilience, driven by a risk-based approach,” Rogers said. “You can’t do everything, so it’s about focusing on your resilience.”