*Video first appeared at This Week Health’s Video Podcast – The 6 Key Steps for Improving Cybersecurity According to the HCIC: Which One Do you Need?
How Cybersecurity Entered the Healthcare World, and Where Stipulations for it Stemmed (Video Transcript)
Bill Russell: So Brad, was cybersecurity actually impacting the delivery of care at that point? Were we worried, or just, were we sort of projecting and saying, no, it can? If cybersecurity escalates, if these attacks escalate, it can actually impact the delivery of care and actually cause harm.
Brad Marsh: We were seeing it more and more. After meaningful use was signed in and we got more and more EHRs, that’s great. It’s made more affordable to more agencies. Great! You have this ability. Now we can stop manual data entry. That saves patients. We had barcode medication administration, that saves patients. But when we have those things, you start to connect more to reduce other risk. When you have a clinician mindset, it’s patient safety. When you have a cybersecurity perspective, it’s cybersecurity safety. What Teresa, being in this position she’s in, she is the one person at that time could say cybersecurity is patient safety. And so, we were seeing the writing on the wall.
Back in an allegory, when you look at the world wars, if there was a red cross on a building, it was avoided from shelling, for the most part. We’re going to speak in generalities. That red cross used to protect you. As warfare has evolved over time, that then became a target. We were the soft target. We thought nobody would attack us because we are doing good. We are taking care of people. We are not political. We are not in any way, shape or form attacking another country with a hospital. But when we were seen as the soft underbelly of the United States in our critical infrastructure sector, that’s where it began to destabilize. And so, we saw the over the horizon.
Theresa Meadow: The one thing I’m going to add to what Brad said, I think what our federal partners were seeing more of that type of activity than we were. So we were more still stuck in how do we protect PHI and how do we not have a breach. And so, really cybersecurity today in some instances is not really about the PHI. It’s really about how do I prevent somebody from doing the job that they need to do for money. And so it’s become a more of a different spin on it. And we were kind of caught in the crosshairs because we’re only worried about HIPAA, but this issue is a bigger issue than just protecting PHI. And so, I think our federal partners like Brad and others kind of educated us about these are the things that we see, but we don’t share this information publicly, so there’s not a way for you to know all the things going on. And this was the first time we kind of had insight behind the curtain about – healthcare is a target. We just don’t know it because we’re not engaged at the level that we should be in these topics. And so I think that’s one of the main things I took away, is we have to be more engaged and more sharing there.