Photo: HIMSS Media
LAS VEGAS – The panel for the HIMSS26 Healthcare Cybersecurity Forum session "United Front: Strengthening Cybersecurity in Rural and Vulnerable Healthcare Systems" addressed strategies and offered advice to healthcare organizations facing cyber threats while also negotiating limited staffing resources and outdated infrastructure here on Monday.
Moderator Jennifer Stoll, chief external affairs officer of OCHIN, a nonprofit health IT organization providing electronic health records, data analytics and services to healthcare organizations in 42 states, asked the panelists what attendees need to know about rural providers as they are "out there standing hand-to-hand."
Representatives from healthcare coalitions discussed how small and rural hospitals can collaborate to strengthen their defenses, build resilience and protect their facilities by talking to leadership at their organizations to drive changes.
Don't do this alone
At a HIMSS Healthcare Cybersecurity Forum three years ago, John Riggi, the American Hospital Association's national advisor for cybersecurity and risk, urged health systems to form regional mutual aid agreements to assure care continuity in the event of an outage and prepare for three to four weeks of downtime.
"Business continuity is not the same as clinical continuity, and we need to be prepared to carry on operations for up to four weeks," he had said.
While the spirit of cooperation among rural organizations is high, several hurdles stand in their way, however. IT staff are rarely dedicated solely to cybersecurity, and organizations are wary of collaboration for a variety of reasons, ranging from a perceived loss of autonomy in a shared service model to general competition.
But these hurdles can be overcome, according to Tianna Fallgatter, director of business development for The Rural Collaborative, a network of 26 rural hospitals in Washington state
"The value of connecting with peers who understand the environment that you have to work in – the resource sharing and knowledge that you can gain from those who work in that environment is just invaluable," she said.
"You can't replace it."
Fallgatter said the collaborative uses cyber hygiene and vulnerability assessments of individual hospitals to generate an "apples to apples comparison" across hospitals and inform a collective strategy to build shared resources.
The importance of storytelling
"We are constantly saying, to be an effective cyber leader, you need to be a storyteller, and you need to be able to explain it in a different way to a leader that is not technical," said Garrett Hagood, CISO for the Coastal Bend Regional Advisory Council in Texas.
Some organizations are accustomed to working together on emergency management for disasters like floods, he said, encouraging attendees to view hospital preparedness programs as cyber-inclusive.
"Our requirements are changing," he said. "I suggest you go home and find out who your coalition is, and bring together a working group or a council so that you can all focus and share and coordinate and prepare in your own region."
Fallgatter said the most important conversation IT leaders can have with rural hospital CEOs and CFOs is how to build a cybersecurity strategy.
"If you can change the narrative … it's a game changer," she added. "If you can get 10 to buy in, you get that pool of hospitals – you get the volume – which incentivizes the high-quality service providers to actually pay attention."
Hagood said that in Texas, the state's federally funded Hospital Preparedness Program, which coordinates mutual aid and emergency response, shared real-time information and deployed resources, like communications terminals and strike teams, to successfully restore critical electronic health records and other patient care systems during a dual crisis when one level-one trauma center faced a debilitating cyberattack while another was simultaneously flooded.
Nine Regional Advisory Councils across the state made it possible, he said.
"What I encourage you to do is to go back home and talk to your emergency managers in your C-suite," Hagood said.
Obtaining needed resources
Stoll asked about resource-constrained environments and workforce dilemmas.
There is a disconnect between IT resources and students, explained Greg Sieg, chief information security officer for Michigan Medicine and chair of the state's Healthcare Cyber Security Council.
"When I go to these events, and I get someone – a student that's looking at cyber – nine out of 10, the question I get out of that student is, 'How do I get into cyber?'"
The council can support organizations with workforce grants, "but they don't know where to begin," he said.
"It's not as simple as just putting a workforce member in because they don't know what to do with that workforce member and how to function with that," Sieg said.
"What do you want this group to hear from today about the needs of rural underserved providers at this time on cybersecurity? If there was one thing that they'd hear, what would it be?" Stoll asked.
"It's a loaded question," said Jim Roeder, chief information officer and vice president of information technology for Lakewood Health System. "We want the patients we serve to be able to get the care that all the bigger systems do."
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.
