LAS VEGAS – "Real-world data breaches have highlighted our gaps currently in security, where we lack readiness, and some of our ongoing homework abilities," said Dr. Hannah K. Galvin, the Cambridge Health Alliance's chief medical information officer.
Galvin moderated a conversation focused on understanding privacy standards and establishing a strong cybersecurity and privacy culture to protect data at the Healthcare Cybersecurity Forum at HIMSS25 here on Monday.
Erik Decker, vice president and chief information security officer at Intermountain Health, who was the forum MC, noted that the panel aligns with three goals in the Healthcare and Public Health Sector Coordinating Council Cyber Working Group's five-year Health Industry Cybersecurity Strategic Plan.
Alex Enriquez, cyber security solution lead at Avanade, cited the Change Healthcare cyberattack and Rhode Island Department of Administration's Bridges system that includes HealthSource RI, the state’s marketplace for affordable health coverage, as two significant attacks in 2024 that caused notable reputational harm.
"I think we're starting to see more companies take more of a closer look at security and why it's important," he said.
"A lot of companies are concerned about reputational impact as a result of a ransomware attack, not just to mention the loss of data and trust from their customers."
These breaches involved managed systems and remote access tools used by many organizations, he said.
Erika Riethmiller, vice president and chief privacy officer at UCHealth, said she is still seeing downstream effects of cyber actors posting stolen data gained from phishing exploits on the dark web.
A chief concern for her team right now is vendor breaches.
"I'm here largely because it's very painful for me when you have a cyber attack because of all the regulatory and compliance requirements that we then have to kick off on our side of things," she said.
"Not having an incident response plan on the privacy side of things is simply not acceptable anymore," she said.
Vendors are often sophisticated and have done security work to protect their healthcare customers.
"But we are very vendor-dependent as a healthcare organization," Riethmiller said. "But as they target vendors, we then have to deal with that as well."
Turning to interoperability, Galvin addressed the controversy over certain uses of the Carequality Network by Particle Health over the past year and what uses of patient data are allowable under exchange agreements.
"Under the Carequality rules of the road, we have agreements about how you can share data for treatment purposes," she noted.
"It becomes a real challenge as we scale our interoperable ecosystem and we look to joining [Trusted Exchange Framework and Common Agreement]."
The panelists agreed that the voluntary Cybersecurity Performance Goals developed by U.S. Health and Human Services was a step in the right direction.
Riethmiller said that after the particular controversy, she now asks better questions. "Because now I know," she said.
Enriquez noted that most organizations are typically unaware of "some anomalous activity that you determine could be malicious." It takes time to investigate, and that is going to be harder on the smaller providers with fewer security resources.
Galvin asked how the CPGs and other healthcare security frameworks align with HIPAA Security Rule and modifications proposed by HHS.
Enriquez said it is imperative to develop an ongoing security mindset that goes beyond the usual hyper focus on audits.
"I think that it sends the wrong tone."
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.