Health Tech

How Hospitals Should Manage Cybersecurity Risks, Per Baptist Health’s CIO

As health systems shore up their defenses against cybercriminals, they should openly communicate with their third-party vendors about data security risks and work together to actively manage those risks. That was some of the advice given by Aaron Miri, Baptist Health’s chief digital and information officer, during a Tuesday webinar.

Forty million people have had their personal information affected by healthcare data breaches during the first half of this year — putting 2023 on pace to break the record for number of individuals affected by healthcare data breaches.

With cyberattacks proliferating, data security remains a pressing priority for health systems. These attacks can lead to EHR downtime, delayed services, misuse of patient data and class action lawsuits. Recent research from IBM showed that the average cost of a healthcare data breach has risen by more than 50% in the past three years — now reaching $10.93 million.

As health systems shore up their defenses against cybercriminals, they should openly communicate with their third-party vendors about data security risks and work together to actively manage those risks. That’s according to Aaron Miri, Baptist Health’s chief digital and information officer, who spoke Tuesday during a virtual roundtable discussion hosted by health IT security company Imprivata.

When implementing new technology systems, it’s imperative that health systems know “there are no failsafe, foolproof mechanisms to digitally transform,” Miri said.

“Make sure that you get out of the head of your board of directors and leadership team that you can do this with no risk at all,” he declared.

With this in mind, hospitals’ digital leaders need to abandon mindsets centered on risk aversion and adopt mindsets focused on risk management, Miri recommended. Instead of being fearful of the cybersecurity risks present when adopting new technology, these leaders should always be thinking about how their organization can best assess and communicate about such risks, he added.

One key way hospitals can minimize data security risks is to make sure their third-party partners understand “the traps and trials and tribulations” that providers face when it comes to protecting their patient data across multiple technology systems, Miri said.

“For us here at Baptist Health, we recently implemented a brand new [Epic] electronic medical record system last summer. That was tremendous risk, tremendous moving parts, all sorts of things — but we had full communication with their board of directors about risk management compliance. We did it eyes wide open with a cybersecurity posture in mind,” he explained.

Another piece of advice Miri gave to health systems was to remember that cybercriminals often attack providers when they’re most vulnerable.

For example, a couple weeks ago, Hurricane Idalia hit Florida, where Baptist Health is based. The day before the hurricane hit land, the health system was “facing phishing attacks left and right,” Miri said.

“The bad guys are always watching as you go about digital change or navigate an event like a hurricane or whatever may be going on in your region. So at the end of the day, it’s about awareness, about communication and about effective management and mitigation of risk,” he declared.

Photo: Traitov, Getty Images

Shares1
Shares1