HealthLeaders Cyber Resilience Podcast

Welcome to the HealthLeaders Podcast, the place for peer-sourced and solution-focused insights for healthcare executives airing every Tuesday. I'm Jasmyne Ray, HealthLeaders Revenue Cycle Editor. Today, I'm joined by Greg Surla, Senior Vice President and Chief Information Security Officer for FinThrive, to discuss the impact of recent cyber incidents on the healthcare sector with an emphasis on how these events have driven the industry towards enhancing cyber resilience.

Greg, thanks for joining us today.

Thank you, Jasmyne. I appreciate the opportunity to be on the call with you.

Could you provide your perspective on recent cyber incidents in the healthcare sector and beyond to highlight their nature and scale?

Right. It seems to me that over the past couple of years, cyberattacks on the healthcare industry have exploded. In fact, it seems to be happening weekly from what we're seeing. Most attacks are ransomware-based, which are just terrible. In fact, I read this morning that a ransomware attack on hospitals in London caused those organizations to cancel operations and send people away. It’s been really devastating for the healthcare industry. From what I understand, in 2023, cyberattacks impacted something like a hundred million people in the US alone. They said that trend will continue into 2024. Just looking at the Change Healthcare event, UHG says that they have data on one in three Americans. That is equivalent to about 110 million Americans. So, right there, if data has been breached, we've already surpassed last year's trend, and it’s just getting worse.

In what ways have these incidents catalyzed a shift towards greater cyber resilience within the healthcare sector?

I believe the Change Healthcare event was a wake-up call for the industry. From my conversations with other CSOs in the healthcare industry and beyond, it seems there is now a greater emphasis on having backups to your backups. For example, if you have data that you're sharing with a vendor and that data is critical to your business, make sure you have a backup. People are starting to understand that resilience needs to be there. It reminds me of the movie "Armageddon." There’s a scene where Bruce Willis' character is talking to NASA, and NASA explains that his team is the only team that can save the world. He says, "Wait a second. You're NASA. Don't you have a backup? Why don't you have a backup to your backups?" That's what we're seeing in the healthcare industry and beyond. Cyberattacks are occurring, becoming more devastating, and costing organizations a lot of money, not only in data breaches but also in business continuity. We have to get cyber resilience in place, especially in the healthcare industry, because patients' lives are at stake. Let's ensure we have backups to what we're doing, making sure we can bring our operations online quickly and efficiently without causing more damage.

Among the various components of the healthcare revenue cycle, which has been most significantly affected by recent cyberattacks? How does its vulnerability influence cyber resilience strategies?

From my perspective, claims have been probably the most significantly impacted component of the healthcare revenue cycle. The need for resiliency here highlights a weak point in our current healthcare system, where large central platforms can represent the only pathway for providers to submit and get paid for their claims. Again, it goes back to needing resilience and having a backup to your claims provider.

How can healthcare organizations develop and implement robust business continuity plans to ensure operational resilience in the face of future cyber disruptions?

One of the things we do at FinThrive is take a 360-degree view of our environment. We conduct risk assessments and look for any areas that have more exposure than others. Sometimes you miss certain things and don’t realize there’s a problem until an event occurs. We like to look at what areas in our environment and company can cause more harm that we haven’t thought about before. Conducting risk assessments is key. The domino effect is also in play here when you're not accounting for areas where you're not viewing everything that's going on. Ensuring that business continuity plans are in place and take cyber disruptions into account is essential because a lot of times, they may only address it minimally. Ensuring that cyber considerations are integrated into business continuity plans is critical.

My last question for you: When designing a revenue cycle management technology stack, what elements should be prioritized to withstand and quickly recover from cyber threats?

From what we're seeing in the industry, user identity management is probably the biggest thing being targeted, especially something like Active Directory. Ensuring that user accounts are secured, service accounts are safe from breaches, and passwords are changed regularly is crucial. Additionally, prioritizing patching is important. Vulnerabilities won’t magically go away; more are identified daily. When patches are skipped or delayed, you fall behind, and someone is ready to exploit those vulnerabilities, possibly injecting ransomware into your environment. Having a patching plan and patching on time is vital. Finally, creating a security-aware culture in the organization is crucial. Having a strong security awareness program can help mitigate ransomware attacks that often originate through phishing and social engineering. Ensuring that employees and colleagues are aware of these types of attacks is important. This approach needs to come from the top, with buy-in from the board of directors and the executive team. When top-level executives emphasize security awareness, it trickles down to everyone else, reducing the risk of phishing.

Greg, thank you so much for joining us today and for a great conversation.

Thank you.

And thank you for listening to the HealthLeaders Podcast. We'll be back next week with more healthcare industry insights.