3 steps to strengthen health care cybersecurity strategies

Earlier this year, Change Healthcare, among the world’s largest health care clearinghouses for medical claims, experienced a devastating cybersecurity incident. The event shut down the organization’s electronic payment platforms and pharmacy network services. The impact continues to be far-reaching for any health care system that relied on Change Healthcare’s services. Critical processes at health care organizations came to a halt, hampering both providers and patients.

According to an American Hospital Association survey, 94% of hospitals are experiencing a financial impact from the Change Healthcare cyberattack, with more than half describing it as “significant or serious.”

“Many medical practices and health systems continue to experience major revenue struggles that threaten their overall financial viability not only due to the revenue cycle disruption, but also because of the impact on basic financial operations such as processing payroll,” says Greg Vetter, an RSM principal and health care cyber risk services leader.

Operational and communications challenges are many when a breach involves sensitive patient information, he says. Vetter recommends organizations shore up their cyber flanks and consider the following:

Conduct a robust review of business continuity and disaster recovery planning. This work enables an organization to sustain essential operations during a major disruption to systems, processes, facilities and more. An organizational business impact analysis, often the foundation of recovery planning, should include essential vendors and other third parties supporting critical business activities—a measure that would have helped organizations identify the Change Healthcare risk and provided the opportunity to respond more effectively.

Take inventory of all third parties deemed critical to the organization. The process for identifying high-risk vendors is nuanced and must be thoughtfully executed, as risk is not just driven by vendor spend or proximity to the largest applications or processes. The inventory should document the services provided and business processes the vendor supports, as well as the type of data stored, processed or transmitted on the organization’s behalf. In addition, organizations should consider their extended vendor ecosystems that include fourth parties, along with the vendors and service providers third parties rely on. Due diligence should be conducted regularly during the vendor relationship.

Carefully evaluate the overall cyber program. Cyber incidents can originate with a vendor and other third parties, but the greatest risk to an organization remains the failure of their internal cyber protections. Organizations should regularly assess their program to ensure it is meeting the requirements of a rapidly changing digital world.