OR Manager August 2023 - 20
Technology
Act and the Health Information Technology
for Economic and Clinical Health
Act; and coverage against losses from
business interruption.
Cybersecurity insurers can also provide
expertise in the event of a breach,
including incident response teams and
breach coaches who can help to restore
systems and provide legal counsel, according
to a May 2023 BizTech article.
Before choosing a plan, hospitals
need to do a comprehensive assessment
of their security capabilities and
weaknesses to ensure the plan does
not leave them exposed to liabilities.
For instance, many of these policies
do not cover ransomware attacks or attacks
from specific nation-states. If they
do offer ransomware coverage, they will
likely require the organization to provide
evidence that they are actively monitoring
and following best practices.
Facing exorbitant costs on both the
insurance side and in the case of attack,
some experts recommend selfinsurance
as an option for larger organizations.
Instead of paying premiums to
an insurance company, the organization
puts that money into an account overseen
by a third party.
Even when cybersecurity insurance
is in place, it can fail when it is needed
most. For instance, in April 2023, a
North Carolina radiology group sued its
cyber insurance carrier after its coverage
lapsed 2 days before a ransomware
attack, claiming that they had submitted
the paperwork for renewal but were told
only after they filed the claim that they
were no longer covered.
Taking proactive measures
A comprehensive plan is critical, but it
also needs to be regularly tested and
effectively communicated. An August
2019 cybersecurity survey of 166 information
security leaders by Healthcare
Information and Management Systems
Society (HIMSS) found that 70%
of cyberattacks originated from phishing
emails-emails that are fraudulent or
20
OR Manager | August 2023
malicious but designed to look legitimate
to trick people into clicking them.
As these attacks have become more
sophisticated, once-a-year cyber security
awareness training is not enough.
Instead, HIMSS advises regular training
with mock phishing exercises to gauge
whether the antiphishing program is
working, or if it needs to be improved
with a goal of less than 10% click rate.
" By involving your entire organization in
the plan, your incident response plan
will be better positioned to act quickly
to detect, contain, and eradicate incidents, "
HIMSS notes.
In a February 2022 HHS report, Pino
writes that it is not enough for hospitals
to perform risk analysis only on EHR
data; they also need to identify risks
across their operations. " You should
fully understand where all electronic protected
health information exists across
your organization-from software to connected
devices, legacy systems, and
elsewhere across your network. "
Preventative measures include:
* maintaining offline, encrypted backups
of data that are regularly tested
* conducting regular scans to identify
and address vulnerabilities
* instituting regular patches, updates
of software and operating systems
* training employees about phishing
and other common IT attacks.
Hospitals can also involve outside cybersecurity
risk experts in these efforts
who work with organizations to assess
their risk and provide 24-7 monitoring.
Hamilton's organization, for instance,
provides continuous monitoring along
with management and consulting services,
and he says they specifically work
with local and rural hospitals that do not
have IT departments on which to lean.
" We put out fires before they get out of
control, " he says.
As these attacks and costs increase,
insurance companies are continuing to
raise their expectations for the preventative
security measures that hospitals
need to have to provide coverage, says
Bhuyan. " Right now, many cybersecurity
insurance providers are going through
rigorous risk assessment of hospitals, "
he adds. " If hospitals are not investing
resources, they may not get coverage,
or it might be a very high premium. Insurance
providers are coming up with
significant expectations from healthcare
systems, and that will get stronger. Insurance
is meant to protect against financial
loss, but it's not a replacement
for building a secure system. " ORM
-Brita Belli is an award-winning writer
and PR professional with published stories
in the New York Times, National Geographic,
MSN.com, and Alternet.
References
Alder S. Ransomware deployed 2 minutes
after hackers gained access
to Johnson Memorial Health's network.
The HIPAA Journal. October 7,
2021.
Bhuyan S S, Kabir U Y, Escareno J M,
et al. Transforming Healthcare Cybersecurity
from Reactive to Proactive:
Current Status and Future Recommendations.
J Med Syst. 2020
Apr 2;44(5):98.
Bose S K, Dasani S, Roberts S E, et
al. The cost of quarantine: Projecting
the financial impact of canceled
elective surgery on the nation's hospitals.
Annals of Surgery. 273(5):p
844-849, May 2021.
Bruce G. Radiology group sues cyber
insurer after policy lapsed right before
ransomware attack. Becker's
Health IT. May 19, 2023.
Cole D, Kuhn H. Congress imposes
new 72-hour reporting requirement
for cyber security incidents. Freeman,
Mathis & Gary LLP. March 28,
2022.
Davis J. Tennessee health system
stops all operations amid cyberattack
recovery. SC Media. May 4,
2023.
Fact Sheet: Majority of hospital payContinued
on page 23
www.ormanager.com
https://www.MSN.com
https://www.hipaajournal.com/ransomware-deployed-2-minutes-after-hackers-gained-access-to-johnson-memorial-healths-network/
https://pubmed.ncbi.nlm.nih.gov/32239357/
https://journals.lww.com/annalsofsurgery/Citation/2021/05000/The_Cost_of_Quarantine__Projecting_the_Financial.5.aspx
https://www.beckershospitalreview.com/cybersecurity/radiology-group-sues-cyber-insurer-after-policy-lapsed-right-before-ransomware-attack.html
https://www.fmglaw.com/cyber-privacy-security/congress-imposes-new-72-hour-reporting-requirement-for-cyber-security-incidents/#:~:text=Under%20the%20new%20law%2C%20certain%20businesses%20that%20are,72%20hours%20and%20ransomware%20payments%20within%2024%20hours
https://www.scmagazine.com/news/breach/tennessee-health-system-stops-all-operations-amid-cyberattack-recovery
https://www.aha.org/fact-sheets/2022-05-25-fact-sheet-majority-hospital-payments-dependent-medicare-or-medicaid#:~:text=In%20fact%2C%2094%25%20of%20hospitals%20have%2050%25%20of,the%20tremendous%20inflationary%20forces%20they%20are%20currently%20facing
http://www.ormanager.com
OR Manager August 2023
Table of Contents for the Digital Edition of OR Manager August 2023
OR Manager August 2023 - 1
OR Manager August 2023 - 2
OR Manager August 2023 - 3
OR Manager August 2023 - 4
OR Manager August 2023 - 5
OR Manager August 2023 - 6
OR Manager August 2023 - 7
OR Manager August 2023 - 8
OR Manager August 2023 - 9
OR Manager August 2023 - 10
OR Manager August 2023 - 11
OR Manager August 2023 - 12
OR Manager August 2023 - 13
OR Manager August 2023 - 14
OR Manager August 2023 - 15
OR Manager August 2023 - 16
OR Manager August 2023 - 17
OR Manager August 2023 - 18
OR Manager August 2023 - 19
OR Manager August 2023 - 20
OR Manager August 2023 - 21
OR Manager August 2023 - 22
OR Manager August 2023 - 23
OR Manager August 2023 - 24
OR Manager August 2023 - 25
OR Manager August 2023 - 26
OR Manager August 2023 - 27
OR Manager August 2023 - 28
OR Manager August 2023 - 29
OR Manager August 2023 - 30
OR Manager August 2023 - 31
OR Manager August 2023 - 32
https://www.nxtbook.com/accessintelligence/ORManager/orm_jan_feb-2025
https://www.nxtbook.com/accessintelligence/ORManager/orm_november-2024
https://www.nxtbook.com/accessintelligence/ORManager/orm_asc_october-2024
https://www.nxtbook.com/accessintelligence/ORManager/orm_october-2024
https://www.nxtbook.com/accessintelligence/ORManager/orm_september-2024
https://www.nxtbook.com/accessintelligence/ORManager/orm_august-2024
https://www.nxtbook.com/accessintelligence/ORManager/orm_july-2024
https://www.nxtbook.com/accessintelligence/ORManager/orm_june-2024
https://www.nxtbook.com/accessintelligence/ORManager/orm_may-2024
https://www.nxtbook.com/accessintelligence/ORManager/ormc_brochure_march-2024
https://www.nxtbook.com/accessintelligence/ORManager/orm_april-2024
https://www.nxtbook.com/accessintelligence/ORManager/orm_asc_march-2024
https://www.nxtbook.com/accessintelligence/ORManager/orm_march-2024
https://www.nxtbook.com/accessintelligence/ORManager/orm_february-2024
https://www.nxtbook.com/accessintelligence/ORManager/orm_january-2024
https://www.nxtbook.com/accessintelligence/ORManager/orm_november-2023
https://www.nxtbook.com/accessintelligence/ORManager/orm_october-2023
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-september-2023
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-august-2023
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-july-2023
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-june-2023
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-may-2023
https://www.nxtbook.com/accessintelligence/ORManager/ormc-brochure-march-2023
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-april-2023
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-march-2023
https://www.nxtbook.com/accessintelligence/ORManager/orm-february-2023
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-january-2023
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-november-december-2022
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-october-2022
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-september-2022
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-august-2022
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-july-2022
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-june-2022
https://www.nxtbook.com/accessintelligence/ORManager/ormc-brochure-may-2022
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-may-2022
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-april-2022
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-march-2022
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-february-2022
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-january-2022
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-november-december-2021
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-october-2021
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-september-2021
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-august-2021
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-july-2021
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-june-2021
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-may-2021
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-April-2021
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-march-2021
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-february-2021
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-january-2021
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-december-2020
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-october-2020
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-september-2020
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-august-2020
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-july-2020
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-june-2020
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-may-2020
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-april-2020
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-march-2020
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-february-2020
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-january-2020
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-december-2019
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-november-2019
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-october-2019
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-september-2019
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-august-2019
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-july-2019
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-june-2019
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-may-2019
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-april-2019
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-march-2019
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-february-2019
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-january-2019
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-december-2018
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-november-2018
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-october-2018
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-september-2018
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-august-2018
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-july-2018
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-june-2018
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-may-2018
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-april-2018
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-march-2018
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-february-2018
https://www.nxtbook.com/accessintelligence/ORManager/or-manager-january-2018
https://www.nxtbookmedia.com