Healthcare C-suite executives do not need a PowerPoint presentation from the CISO to understand that cybersecurity should be a top priority for healthcare provider organizations today. They just need to read all the headlines of security breaches at hospitals across the country. But are they doing so?

Nearly a third of hospitals and health systems are planning to implement biometrics (29%), digital forensics (28%) or penetration testing (28%) within the next 24 months, according to new HIMSS Media research. (HIMSS is the parent company of Healthcare IT News.)

However, 43% say funding is keeping their organizations from executing on security challenges they have, the research shows.

This is the fourth installment in Healthcare IT News' latest feature series, "Health IT Investment: The Next Five Years." This fourth feature focuses on cybersecurity.

The series offers interviews, mostly with CIOs, to learn from them the path forward through the priorities they set with their investments in six categories: AI and machine learning; interoperability; telehealth, connected health and remote patient monitoring; cybersecurity; electronic health records and population health; and emerging technology and other systems.

Click here to access all the features currently available.

The five CIOs and one COO discussing their plans for the next five years in this installment include:

• Cara Babachicos, senior vice president and CIO at South Shore Health, a health system based in Weymouth, Massachusetts.
• Matt Hocks, COO at Sioux Falls, South Dakota-based Sanford Health, a $6 billion health system serving a predominantly rural population over a four-state footprint with both payer and provider arms.
• Mike Mistretta, vice president and CIO at Virginia Hospital Center in Arlington.
• B.J. Moore, CIO of Providence, a health system that operates 52 hospitals across seven states – Alaska, Montana, Oregon, Washington, California, New Mexico and Texas.
• Michael Restuccia, senior vice president and CIO at Penn Medicine in Philadelphia.
• Dr. Umberto Tachinardi, CIO at Regenstrief Institute in Indianapolis.

'A tremendous amount of money'

"Cybersecurity is ever-changing as new technologies and threats emerge," said Mistretta of Virginia Hospital Center. "We have spent a tremendous amount of money in the past two years hardening our defenses and filling gaps so we are compliant with best practices.

"The interesting thing on this front is now the insurance companies are getting involved, dictating specific security capabilities be in place in order to provide any type of cyber coverage," he noted. "In our last renewal, we had to fill out an extensive survey from three separate companies just to receive quotes."

"We have spent a tremendous amount of money in the past two years hardening our defenses and filling gaps so we are compliant with best practices."

Mike Mistretta, Virginia Hospital Center

The organization also had to focus on a workforce transitioning to a home setting, so it enhanced network traffic monitoring to assist in early identification of a potential breach.

"Our leadership has been extremely generous in funding these efforts over the past few years, as we have had several local healthcare entities locked offline due to ransomware that raised the risk profile for the organization," he explained.

In the next few years, Virginia Hospital Center will invest in cybersecurity as needed to stay compliant with insurance; the organization is comfortable with current investments.

"I see our next investment related to this to focus more on recovery in the event a breach were to happen," he explained. "Currently we are investigating immutable backups to the cloud with either Azure or Amazon that will provide a layer of insulation between our current systems and a reliable restore point should it ever be needed.

"For us, selling these investments to our board has been relatively easy: The news cycle has been able to convey other healthcare entities near us that have been breached, so it lightens the justification requirements," he added.

Tripling the investment in cybersecurity

Moore of Providence speaks plainly on the subject of cybersecurity.

"Yeah, I'll probably regret saying this – we've probably tripled our investment per year in cyber over the last two years under my leadership," he said. "And next year we plan to continue to increase that. We do see that beginning to plateau. We're getting to a level of investment where it's probably an appropriate level.

"I'm happy to say I haven't had to twist any arms during my two-and-a-half years here. That's no small feat, right?"

B.J. Moore, Providence

"The bad guys keep getting smarter every day," he continued. "And so we need to continue to advance, but we believe basically next year will kind of be more of a sustained level. And then we sustain cyber after that. If the situation changes and becomes more aggressive, obviously, this is an area that we'll continue to invest in more. But we believe we'll get to a stable level by the end of next year."

Moore has had no problems getting the C-suite and the board to support funding for cybersecurity.

"The headlines are validating our expenditures," he said. "I've been fortunate enough to have incredible support from my board and C-suite. And so as I've made these recommendations, they've trusted my recommendations. And then when they see peers being attacked in the headlines, it's validating that they supported the right decision.

"I'm happy to say I haven't had to twist any arms during my two-and-a-half years here," he added. "That's no small feat, right?"

Synthetic data

As more data is generated and exchanged electronically, hackers, who have an asymmetric advantage, continue to use more sophisticated techniques, said Tachinardi of Regenstrief Institute.

"Cybersecurity is an issue that needs ongoing attention," he stated. "One of the offshoots of cybersecurity is Regenstrief's exploration of the potential of synthetic data. Synthetic data reflects the characteristics of real patient data, but does not include real patient information.

"This level of cybersecurity is found only in a few research environments that handle very sensitive data."

Dr. Umberto Tachinardi, Regenstrief Institute

"Because it is statistically similar, it can be used in the same way as real data, but without compromising privacy," he continued. "This also allows for quicker access to the information for research purposes."

Regenstrief also is working with the Indiana Clinical and Translational Sciences Institute (CTSI) and Datavant to enable linking of data from disparate sources without patient identifiers. Regenstrief serves as the linkage honest broker for the National Institutes of Health National COVID Cohort Collaborative, a national repository of de-identified data from health systems across the U.S. created to help researchers answer questions related to the pandemic.

"Under normal circumstances, de-identified data prevents data linkage, but this novel strategy opens doors to create similar repositories for other diseases while protecting patient information," Tachinardi explained. "Since this project is funded through federal funds, and the systems will host federal assets, a FISMA [Federal Information Security Management Act] moderate compliant cloud-based computational environment is being set up. This level of cybersecurity is found only in a few research environments that handle very sensitive data."

Expending additional funds

Cybersecurity continues to be the area of greatest threat to many healthcare organizations, said Restuccia of Penn Medicine.

"Each year, Penn Medicine expends additional funds to protect its data assets and ensure operational effectiveness," he noted. "Our investments focus on technology solutions that protect our network perimeter, monitor network activity, and ensure secure network access and appropriate data access, to name a few key strategic underpinnings of our program.

"Each year, Penn Medicine expends additional funds to protect its data assets and ensure operational effectiveness."

Michael Restuccia, Penn Medicine

"Other efforts focus on end-user education – driving awareness to external threats attempting to gain access to systems through phishing and other mischievous methods," he continued. "Finally, [we have developed] solid policies that clearly communicate appropriate use by employees of system access and data protection support the data privacy and security needs."

These investments are readily agreed upon by members of senior leadership, given the consistent reporting of breaches, hacks and ransomware throughout healthcare and other industries, he added.

"The potential impact upon operations, patient privacy as well as the reputational harm that may arise from such malicious events, requires constant attention as well as never-ending strategy and investment," Restuccia said.

The tools of the trade

Babachicos of South Shore Health said the health system has been making significant investments in cybersecurity, and she does not expect that to change anytime soon.

"There are so many different types of technology that are important for the cybersecurity platform," she stated. Integral to her program are the following:

• Tools to manage the environment and detect and identify patch levels of all devices, including biomedical devices.
• Tools to protect the environment and the perimeter and ensure that all systems are being accessed and protected with high-level standards.
• Tools to report and aggregate the information coming in, such as security, information and event management (SIEM) solutions, and additional technologies to analyze the data and interpret and act on high risks.

"These are just some of the approaches that will continue into the future, but the level of complexity of these tools and the automation and user behavior analytics of these tools will continue to mature," she said.

"There are so many different types of technology that are important for the cybersecurity platform."

Cara Babachicos, South Shore Health

With zero-day patches on the rise, South Shore continues to train its users on phishing exploits. Babachicos said the organization is doubling down on the training and education side because it knows that successful phishing often leads to ransomware.

Meaningful investment

Sanford Health will continue to invest in cybersecurity over the next five years. The increase in cyberthreats to healthcare organizations, the sophistication of the cybercriminals and the ever-evolving technology landscape all require a meaningful investment in resources to protect the organization's people and patients, Hocks said.

"Some of the investments will go toward full network visibility, AI-based behavior analysis and connected medical devices."

Matt Hocks, Sanford Health

"Some of the investments will go toward full network visibility, AI-based behavior analysis and connected medical devices, both in our facilities and in patients' homes," he noted.

"Our team has intentionally and thoughtfully engaged leadership across the organization on cybersecurity awareness and education, which has pivoted the conversation from a 'sell' to a 'risk-based decision' and included deep involvement and support from our clinical operations," he concluded.

Twitter: @SiwickiHealthIT
Email the writer: bsiwicki@himss.org
Healthcare IT News is a HIMSS Media publication.