In the past, Allegheny Health Network Chief Operations Officer Duke Rupert says he didn’t necessarily think of cybersecurity as his purview.
But amidst the pressures exacted by COVID-19 – including a significant spike in ransomware attacks – Rupert’s viewpoint changed.
“Quite frankly, [the risk] has become more evident … every single day,” he said during a session at the HIMSS Healthcare Cybersecurity Forum this week. (HIMSS is the parent company of Healthcare IT News.)
The panel discussion, moderated by LifeBridge Health Chief Information and Digital Officer Tressa Springmann, and including Centura Health Chief Information Security Officer Sanjeev Sah, aimed to examine the ways CISOs can work together with other executives to ensure the organization is aligned in terms of risk management strategy.
“From my perspective, everything centers around the patient,” Rupert said. “Anything that potentially endangers a patient is something we need to pay attention to.”
“My knowledge of IT is much greater than it used to be,” he added with a smile.
Sah explained that the team at Centura Health also considers cyber risk from business-operations and patient-care perspectives, among other factors.
He noted that they established an information-security governance structure aimed at addressing risk from a variety of viewpoints. He stressed the importance of framing success to decision-makers as dependent on cybersecurity.
“By going through that process, I believe it helped build not just confidence and trust … but we really took the step of taking any advice and input that we received from all of our stakeholder community in shaping what the plan is,” he said.
“Until we really believe it’s a shared responsibility, it’s a really difficult challenge to overcome,” Sah added.
Similarly, Rupert noted that Allegheny integrates cybersecurity staff into everyday operations.
Just recently, he explained, the organization participated in a hypothetical disaster exercise, exploring what their response would be in case of a major attack.
“I think it’s going to become part of our regular preparation on an annual basis,” he said. “We were very well prepared, but you never know.”
Rupert noted that understanding the risk environment presented by the security team required him to learn a “whole new terminology.” It also led him to think of environment protection as a necessarily collaborative project.
“But when you put it in the perspective of the potential end game, which is an issue with a patient, an issue within a hospital, that elevates it to the level of every other safety issue that we take into account every day,” he said.
“It’s been an eye-opener for me,” he said. “Working with the cyber team – they’ve actually opened our eyes to a lot more areas we need to pay attention to as providers.”