Literature Review

Promoting the resilience of health care information systems—The day hospitals stood stillJAMA Health Forum; Daniel B. Kramer, MD, MPH; Kevin Fu, PhD; 11/24On Friday, July 19, 2024, health care workers woke to emails declaring systemwide information technology (IT) emergencies. Because Crowdstrike had access to the most sensitive core parts of the Windows operating system, the automated process caused an immediate global outage of computer systems using the Crowdstrike Falcon product, which is embedded in many computer systems at health care organizations. Rather than accept this event as inherent to a complex, digitized, and wired health care ecosystem, we urge the US Congress, health care regulators, and the public to insist on proactive preventive methods to avoid future IT catastrophic events rather than simply waiting for the next disruptive crisis requiring an emergent response.

Will AI help improve healthcare security in 2025? Health IT Answers; by Roberta Mullin; 12/10/24 The healthcare sector is particularly vulnerable to cybersecurity risks and the stakes for patient care and safety are particularly high. Healthcare facilities are attractive targets for cyber criminals in light of their size, technological dependence, sensitive data, and unique vulnerability to disruptions. Strengthening our cybersecurity infrastructure and defending against malicious attacks requires vigilance, vision, and collaboration. Can AI help improve healthcare security? We asked our experts what improvements to security we might see in 2025. Here is what they had to say. ... [Click on the title's link to read input from 21 healthcare IT experts.]

PIH Health hospitals targeted in ransomware attack CBS News KCAL, Los Angeles, CA; by Laurie Perez and Dean Fioresi; 12/4/24 PIH Health was targeted in a ransomware attack, forcing officials to completely shut their network offline and leaving millions in the dark when it comes to healthcare. ... Officials say that they were targeted on Sunday by a "criminal act" that "compromised their network." In turn, network services were turned off at their hospitals in Downey, Whittier and downtown LA. ... "Meeting the healthcare needs of our communities remains our highest priority," said a statement from PIH Health. "We continue to provide care during our downtime procedures at all of our facilities, including all three hospitals, medical offices, home health, hospice, outpatient imaging and laboratory."

What healthcare CFOs don’t know about cybersecurity — and what they should ask their CISOs Healthcare Finance Technology (HFMA); by Plante Moran; 12/2/24Cybersecurity is a growing concern for all healthcare organizations amid the ongoing rise of ransomware attacks and other threats. In 2023, the number of reported data breaches in the U.S. rose to an all-time high of 3,205, a 78% increase from 2022, while the average cost of a healthcare data breach hit $10.93 million. What’s driving these alarming figures isn’t necessarily a lack of technology or talent. ... By rethinking their approach to collaboration and risk management, healthcare CFOs can more effectively align security with both technology and the business to help their organizations become more resilient. ... How ready is our organization for an attack? ... 

Ascension president addresses UN on cyberattacks Becker's Hospital Review; by Kristin Kuchno; 11/11/24 Eduardo Conrado, president of St. Louis-based Ascension, discussed the health system's May ransomware attack at a Nov. 8 United Nations Security Council meeting. The council met to discuss strategies for countering cyberattacks in healthcare, according to a Nov. 8 news release from the U.N. Ascension's response to the May 8 ransomware attack cost the health system approximately $130 million. The attack forced its hospitals and clinics off its EHR system and disrupted key diagnostic services, including MRIs and CT scans. ... "Overnight, nurses were unable to quickly look up patient records from the computer stations and were forced to comb through paper back-ups for patient medical history and medications," Mr. Conrado said at the meeting.  ... A comprehensive approach is key, Tedros Adhanom Ghebreyesus, PhD, director-general of the World Health Organization, told the U.N. "Countries should invest not only in technologies for detecting and mitigating cyberattacks but in training staff to respond to them," he added...

A new low? Hacker group targets end-of-life pharmacy provider TechInformed (TI); by Ann-Marie Corvin; 10/28/24 OnePoint Patient Care, an Arizona-based hospice pharmacy serving over 40,000 patients per day, has informed customers about a data breach impacting personal information. OnePoint said it first detected suspicious activity on its network in early August. A later investigation revealed that by this point, the attackers had already obtained files containing personal information from the pharmacy’s systems, including names, residence information, medical records, and prescription and diagnosis information. OPPC told the US Department of Health and Human Services that the data breach impacted over 795,000 people.

CIOs must prepare their organizations today for quantum-safe cryptography IBM; by Mark Hughes, Joachim Schäfer and Arfan Sabar; 10/24/24Quantum computers are emerging from the pure research phase and becoming useful tools. They are used across industries and organizations to explore the frontiers of challenges in healthcare and life sciences, high energy physics, materials development, optimization and sustainability. However, as quantum computers scale, they will also be able to solve certain hard mathematical problems on which today’s public key cryptography relies. A future cryptographically relevant quantum computer (CRQC) might break globally used asymmetric cryptography algorithms that currently help ensure the confidentiality and integrity of data and the authenticity of systems access.The risks imposed by a CRQC are far-reaching: possible data breaches, digital infrastructure disruptions and even widescale global manipulation. These future quantum computers will be among the biggest risks to the digital economy and pose a significant cyber risk to businesses. ... [Click on the title's link to continue reading.]

Ransomware attack at Texas health system spreadsBecker's Health IT; by Giles Bruce; 10/9/24When hackers strike a health system, it can have far-reaching effects beyond just the original target. That's been the case with the Sept. 26 ransomware attack against Lubbock, Texas-based UMC Health System. That event has also ensnared Lubbock-based Texas Tech University Health Sciences Center and Texas Tech Physicians, which share IT systems with UMC Health. The medical school and its affiliated physician group are now in downtime, unable to access their EHR or receive patient portal messages or faxes. Their phone lines are experiencing intermittent outages as well. However, their clinics remain open, as do their pharmacies, albeit with reduced capacity.

77% of health system IT employees eyeing new jobs Becker's Health IT; Naomi Diaz; 9/25/24 Health system IT employees are keeping their options open, with 77% actively seeking new jobs or planning to do so within the next year, according to Bloomforce's "2024 EHR Salary Insights Report." The report, based on an online survey conducted between November and December 2023, gathered responses from 284 healthcare professionals across various roles, including application analysts, team leads, project managers and people managers. It explored areas such as salary, job satisfaction, work-life balance, talent retention and attitudes toward remote work. Here are some key findings from the report: [Click on the title's link to read more.]

CMS teases new cybersecurity policies for third-party vendors Modern Healthcare; by Bridget Early; 9/13/24 The Centers for Medicare and Medicaid Services is planning oversight of third-party healthcare vendors in the wake of the Change Healthcare cyberattack, said Jonathan Blum, the agency's principal deputy administrator. Blum, who also serves as chief operating officer for CMS, said at Modern Healthcare's Leadership Symposium Thursday that the agency is working to determine what levers it can pull to ensure severe disruptions in care like those linked to the cyberattack on the UnitedHealth Group subsidiary aren’t repeated. ... Almost 133 million individuals were affected by healthcare data breaches last year, more than double the number of those affected in 2022 and a number equivalent to about 40% of the U.S. population.

The changing role of chief privacy officers Becker's Health IT; by Giles Bruce; 9/6/24 Chief privacy officers are expanding their roles to take on artificial intelligence and cybersecurity, according to the International Association of Privacy Professionals. Whereas chief privacy officers traditionally focused on being compliant with privacy laws, 69% now have responsibility for AI or data governance, 37% cover cybersecurity regulatory compliance, and 20% have platform liability duties, according to the IAPP survey of 671 professionals released Sept. 6. Some health systems have standalone chief privacy officers, but the hospital industry is more likely to have chief information security officers with privacy duties or a combined role. 

It could happen to you — how to prepare for and mitigate the fallout from a cyberattackMcKnight's Senior Living; by Kimberly Bonvissuto;8/28/24Everyone thinks they know about cybersecurity, but thinking about the effects a cyberattack could have on an organization should be enough to lose sleep over, according to risk management experts. ... Cybersecurity, at its core, is about confidentiality, integrity and availability, according to John P. DiMaggio, co-founder and CEO of Blue Orange Compliance, a risk assessment company. Including senior living in the definition of healthcare, he said that healthcare organizations are targets of cyber criminals because of their relatively weak defenses, the value of the data necessary for operations, and the numerous interfaces and sharing of information that occurs among providers. ... Reasonable security practices — considered the minimum — include risk analysis and management, access control measures, training, incident response planning, physical controls, technical safeguards, third party/vendor management, backup and disaster recovery and patch management. But DiMaggio recommended going above that minimum threshold by using recognized security practices to mitigate penalties and ensure regulatory compliance. Those practices, he said, include email and endpoint protection, access management, data loss prevention, asset and network management, vulnerability management, incident response, medical device security and cybersecurity policies.