The following is a guest article by Mike Garzone, Security Compliance Practice Leader at Impact Advisors, and Marc Johnson, Director, Security Compliance Practice at Impact Advisors
Experiencing a disruption is no longer a matter of “if” in healthcare delivery – it is a matter of “when.” Cyberattacks are becoming increasingly sophisticated, and many cybercriminals are specifically targeting hospitals and health systems. Prevention is essential, but when the inevitable outage from a ransomware attack or other disruption occurs, healthcare delivery organizations need to minimize the impact on processes that enable them to care for patients, bill for services, order supplies, and pay staff.
The threat landscape will continue to evolve in 2025, exacerbated by financial pressures and fallout from modernization and transformation initiatives. Healthcare delivery organizations’ business resilience efforts must evolve accordingly. Specifically, business resilience in 2025 must be:
Comprehensive
Hospitals and health systems need to look at every organizational business function holistically, which includes all departments, acquisitions, and third-party vendors. Anything that supports a given business function – whether an IT application, a workflow, or a trading partner – needs to be carefully assessed and have contingencies proactively developed around it in case a disruption occurs.
There may be a temptation to focus primarily on evaluating high-profile areas, like the EHR, but the reality is that any point of failure can result in disruption. There is nothing wrong with initially prioritizing the assessment of critical applications, workflows, and third-party vendors that directly impact patient care first. However, ignoring ancillary systems, processes, and vendors simply because they are perceived as “less important” will only lead to disruption of the business. If an IT application, workflow, or trading partner is important enough to support one of your organization’s business functions, it is important enough to be tested and have contingencies developed around it.
Regularly Assessed and Exercised
Culture is vital to any hospital and health system’s business resilience efforts. Stakeholders across every part of your organization need to embrace the value of awareness and repetition. Assessing business functions, addressing vulnerabilities, and developing contingencies cannot be viewed as a one-time event or an inconvenience done to “check a box.” Business resilience efforts should be performed regularly and executed strategically. For example, conducting a comprehensive information security assessment every year before annual budgeting activities can help ensure any newly identified vulnerabilities are addressed within the upcoming fiscal year.
While it is critical to have contingencies proactively in place for all of your business functions, those contingency plans must also be frequently practiced. Breaches, cyberattacks, and other types of outages will happen. When the inevitable disruption occurs, having well-documented and regularly rehearsed plans will enable you to respond and recover. Performing a tabletop exercise or running tests of recovery procedures does not benefit the organization if done in isolation. However, scheduling simulated disruptions – where staff follow the documented processes required if a core application is actually encrypted – will help provide your organization with well-informed estimates about the potential costs and recovery time of a given event. Learning in advance of an actual disruption or incident can be the difference between a few hours of downtime versus a few days of downtime.
Built on the Right Foundation
Successful business resilience in 2025 hinges on having a mature governance, risk, and compliance (GRC) program. It is important to note that the legal liability for this program lies at the board of directors and executive management level, as in the event of an investigation, HHS would look at the GRC program to assess compliance or negligence.
The GRC program serves as the foundation for the organization’s business resilience efforts, aligning your business and IT strategies while driving standardization across the enterprise. The role of technology is to automate the programmatic security controls identified and organized by the GRC program. The technology itself is not the safeguard; the technology is guided in its configuration and usage by the safeguards and countermeasures outlined in the GRC program. Given rapidly evolving industry pressures and resource constraints, many hospitals and health systems may want to look to a trusted third-party vendor to help them build and grow their GRC program.
The Bottom Line
With disruption inevitable this year, business resilience is essential for hospitals and health systems. Efforts must be comprehensive, regularly rehearsed, and supported by a mature governance, risk, and compliance (GRC) program.
About Mike Garzone
Mike is an accomplished healthcare consulting executive. During his career of over 30 years, he has developed and managed large, multidiscipline teams delivering enterprise-scale solutions for application integration, information management, enterprise resource planning, and advanced infrastructure.
About Marc Johnson
Marc is a performance-driven, C-level information security leader with a long history of driving complex, enterprise-scale technology security programs envisioning to value realization. a proven track record of building and guiding diverse teams toward actionable goals (PCI, HIPAA, GLBA, etc.) and results.
No comments:
Post a Comment