What are the best ways healthcare organizations can defend against cybersecurity threats?
o Healthcare organizations should adopt a cyber framework and not only focus on HIPAA, as the requirements defined by HIPAA by themselves do not adequately address cyber risks. Cyber frameworks such as the NIST Cybersecurity Framework or the CIS Critical Security Controls are purpose-built for today’s cyber risk environment. In my opinion, these frameworks fill in the “gaps” in HIPAA’s requirements.
• Are there any current healthcare IT security trends that are actually helping to protect hospitals and healthcare organizations from cyber security threats? If so, what are they?
o No. Healthcare is increasingly using technology, and thus is increasingly susceptible to the challenges of using technology. Healthcare isn’t turning back to paper, so these challenges are here to stay.
• Please outline a few IT security challenges that the healthcare industry faces. What is NYP doing to address similar or other challenges?
o Healthcare faces the same challenges as every industry, ranging from patching servers in a timely manner, to ensuring that the supply chain is secure. I think the distinction for healthcare, is that many organizations are late to understanding the importance of security as a patient safety measure. NewYork-Presbyterian’s Board and CEO level understands the criticality of information security to delivering safe and effective patient care. NewYork-Presbyterian has embraced cyber frameworks, and is investing in cyber technologies deployed in other industry verticals.
• How are medical devices also at risk of cyber attacks what can be done to safeguard them?
o Medical devices are currently a major risk for healthcare organizations as the device manufacturers have all too often focused on functionality over security controls. And, at times physicians have opposed controls being added to devices because they viewed the controls as burdensome (e.g., having to login to a medical device). NewYork-Presbyterian is actively engaging device manufacturers on the security of their products, as well as joining MDISS, an organization that offers a promising means for collaboration between manufacturers and healthcare organizations.
• Healthcare IOT security issues: Are there potential long-term risks for the healthcare industry if massive cyber security breaches continue?
o Healthcare is increasingly using internet connected medical devices, telehealth, and other cutting technologies to deliver more timely and efficient care. However, these initiatives are at risk if healthcare does not adopt cyber controls to protect this information and the systems supporting these new initiatives.
• Hospitals have lots of information but can’t always find ways to use it effectively to drive business. Data is both difficult to access and needed by more applications. How do you examine the effective and proactive use of data—how to consolidate, integrate and use it to drive business?
o Multiple leaders and groups at NewYork-Presbyterian look at this issue, including our analytics team, Chief Transformation Officer, and leaders across all departments. NewYork- Presbyterian is becoming increasingly effective at utilizing information because we have focused on collaboration, and breaking down silos between business lines and IT. This has led to innovative programs such as our telehealth initiatives, including our NYP OnDemand platform which provides for capabilities such as digital second opinions, virtual visits and TeleStroke care.
• With your rich experience of managing IT organization and steering technology for your industry, can you please share some of the unique lessons learned and your advice for CISOs and IT leaders?
o The most important lesson is to listen and be open to ideas. IT leaders can be siloed from the individuals and business functions they support. Collaboration starts with listening to the business and working together on solutions.