Security

HIMSS25: Healthcare Needs More Cybersecurity Support in Staffing and Partnerships

Industry leaders discuss the importance of developing talent amid workforce shortages in the sector.

Teta Alim is the managing editor of HealthTech. Teta previously worked as a digital journalist in Washington, D.C.

After another turbulent year in healthcare cybersecurity, many organizations expect to increase their budgets to strengthen their defenses.

That’s according to the 2024 HIMSS Healthcare Cybersecurity Survey report, released last month: 52% of respondents said that their overall IT budgets would go up from 2024 to 2025. Among health systems with specific cybersecurity allocations within that budget, 55% expected a targeted increase, with a focus on improving tools, policies or staffing.

It’s clear why cybersecurity is a highlighted issue at the 2025 HIMSS global conference and expo in Las Vegas. The second keynote address Wednesday featured former National Security Agency Director Paul Nakasone, a retired Army general who is also the founding director of Vanderbilt University’s Institute of National Security.

He shared his experience helping to secure the work of the Department of Health and Human Services during Operation Warp Speed at the height of the COVID-19 pandemic, a collaborative effort that inspired new ways to exchange information.

“This is what I learned at Operation Warp Speed: Let’s have a radical partnership, let’s apply it to a problem that is almost unsolvable and let’s figure out how we start to have outcomes. These are exactly the same procedures we need to do with regard to ransomware,” he said, such as developing a center to rapidly provide threat information for rural health systems.

And as artificial intelligence comes to the fore, Nakasone said, there should be a more systematic approach that includes fostering interest in data science, machine learning and quantum computing among younger generations. We are in this era’s “Sputnik moment,” he said.

The other education sessions of the day focused on cybersecurity also discussed talent development and partnerships as a way to improve healthcare’s long-term strategy.

Click the banner below to learn why cyber resilience is essential to healthcare success.

x-cyberresillience4-static-2024-na-desktop

x-cyberresillience4-static-2024-na-mobile

Understanding Healthcare Cybersecurity as an Ecosystem

At a session moderated by Dr. David Rhew, global chief medical officer and vice president of healthcare for worldwide commercial business at Microsoft, one industry leader highlighted the need to inform cybersecurity practices with hard data.

“Everything that we do is inspired by our perspective as clinicians who are used to working with evidence-based medicine. And in cybersecurity, we are needing to catch up from the standpoint of having data that can help us make actionable choices,” said Dr. Jeffrey Tully, an associate clinical professor of anesthesiology at the University of California, San Diego, and the co-director of the university’s Center for Healthcare Cybersecurity.

“Part of the work that we do,” he added, “is to look back and see what lessons can be learned from previous ransomware attacks, specifically on how they affect patient care and patient care delivery.”

For instance, cyberattacks can have a regional impact. When a health system in San Diego was hit with ransomware in 2021, it affected neighboring organizations through increased patient volumes, longer wait times in emergency departments and the diversion of EMS across the city.

“It’s not just adequate to be thinking about your own organization’s posture, but really thinking that you’re a piece in a larger network, and how you plan for the resiliency of the entire health system,” Tully said.

NewYork-Presbyterian Hospital Vice President and CISO John Frushour mentioned that a major takeaway from the conference was learning the difference between disaster recovery and cyber recovery and seeing them as distinct issues. For instance, in account control, disaster recovery is getting people to log back in to a restored system, but cyber recovery is figuring out if the attacker is still in the network and having a way to ensure authentication of trusted users.

Frushour also emphasized the importance of building up new cybersecurity talent, especially including more women. He noted that he preferred team members who have general IT experience first before becoming more specialized in cybersecurity.

DISCOVER: Mitigate hospital downtime with an effective cyber resilience strategy.

Evolving Cybersecurity Approaches in Post-Acute Care

In the post-acute care space, Riverdale, N.Y.-based RiverSpring Living CIO David Finkelstein discussed how recent cyber events affected his organization; the organization uses an electronic health record system vendor that relied on Change Healthcare for claims submissions, which resulted in a return to manual processes after the attack, affecting cash flow for at least a month.

Citing the CrowdStrike IT outage, he then emphasized the importance of third-party risk management. “We’ve changed things. Even smaller organizations and larger organizations have changed their disaster recovery and business continuity plans based on CrowdStrike,” he said.

Tamra Durfee, vCISO at managed security service provider (MSSP) Fortified Health Security, highlighted the cybersecurity workforce shortage currently felt across all industries, but especially in healthcare.

“A lot of the times, people don’t think of healthcare from a cybersecurity or IT standpoint,” she said. The smaller an organization is, the harder it may be for it to fill an open role, particularly if it is a part-time position.

The competition for talent is fierce. “I do think it’s a big deal when we’re talking about the post-acute care sector, and you’re trying to hire somebody for a cyber role, and we have a hospital that’s maybe 20 to 30 minutes away, and they’re also looking for somebody for cyber,” said Robert “Bob” Latz, CIO at St. Clairsville, Ohio-based Trinity Rehab Services. “It changes the marketplace a bit.”

Finkelstein added that his organization initially added an in-house cybersecurity role that had regular turnover. After several years, the organization phased out the role and switched to an MSSP that offered 24/7 monitoring.

Closing out the discussion, Latz said he hoped to humanize the role of cybersecurity in healthcare. “When we talk about cyber safety as patient safety, I hope that you think about the people around you as you’re implementing the cyber pieces all the way through,” he said.

Check out this page for our complete coverage of HIMSS25. Follow us on the social platform X at @HealthTechMag and join the conversation at #HIMSS25.