Skip To Navigation Skip To Content Skip To Footer
    Home > Podcasts > Podcasts
    David N. Gans
    David N. Gans, MSHA, FACMPE

    Listen and Subscribe

    Apple PodcastsSpotifyGoogle Podcasts

    iHeart RadioStitcherTuneIn

    Over the past year, healthcare organizations have faced a rising trend of attempted and successful cyberattacks, infiltrating their information technology systems and stealing vast amounts of employee or patient information.

    Worse yet, some organizations had malware or ransomware inserted into their information systems, freezing their entire IT infrastructure until the organization either paid a ransom to an anonymous attacker or reconstructed its entire system.

    The fact that any system can be victimized is reinforced by the recent news that multiple U. S. government agencies were hacked by Russian agents who surreptitiously collected information for months without being detected.

    I recently had the pleasure of speaking with Marion Jenkins, PhD, FHIMSS, founding partner of HealthSpaces, a consulting firm that focuses on helping healthcare organizations define and successfully execute a viable technology strategy. Jenkins has decades of experience in strategy and buildout of healthcare IT in business technology projects and has extensive experience in confronting these intensifying threats to medical groups and mitigating risk.

    As Jenkins explained, the complexity of technology in healthcare has grown alongside these cybersecurity risks, which can create “a lot of fear, uncertainty and doubt” — or what he calls “FUD” — that must be confronted to keep clinical operations on track, so patients receive quality care without technology getting in the way.

    As Jenkins explored in his October 2020 MGMA Connection magazine article, “Don’t be a teleworking crash dummy,” the most important and effective security tool for healthcare organizations are the employees working at their keyboards, not falling prey to all types of scams and cyberattacks.

    “They really run the spectrum: From somebody who might be trying to convince someone in accounting to pay an invoice that’s not owed … on the low end of things,” Jenkins said, “to the high end of things — installing ransomware,” which has become much more prevalent in the past year.

    The human factor in cybersecurity

    Jenkins noted it is important for healthcare leaders to recognize that cyberattackers and scammers operate like regular businesses and create threats tailored to market conditions and circumstances.

    For example, new rounds of federal relief during the COVID-19 pandemic [e.g., Paycheck Protection Program (PPP) loans] might be fodder for attention-grabbing emails that are phishing attempts. There have also been more traditional consumer or business fraud scams around offering personal protective equipment (PPE) for sale that are never delivered.

    To avoid falling victim to these tailored threats, Jenkins encourages healthcare leaders to prepare workers — especially those who may be working remotely during the pandemic — to look for these types of “social engineering” and recognize the red flags on inbound emails, social media and other communications.

    “Education really is a big part of it,” added Jenkins, who encouraged the use of new systems to test your workforce with fake phishing messages for training purposes. “It’s not a real virus or real ransomware, but it’s designed to ferret those things out.”

    The new year might be an ideal time to review other basic security measures, such as creating stronger passwords, and ensuring that users with the highest levels of access to network drives (e.g., administrators, the chief financial officer, physician-owners) are taking proper precautions with their digital footprints.

    Disconnect if in doubt

    Minutes or even seconds can be crucial when a computer or system has been infiltrated, and Jenkins said healthcare leaders should resist the natural temptation to try and troubleshoot or reboot. “If there’s a suspected attack, the absolute most critical thing … is to physically disconnect and turn off those devices,” Jenkins said. “Every minute that computer is connected to the network gives that ransomware more ability to go out and find more shares to be encrypted.”

    It’s also important to consider the role of recovery and the importance of checking your system backups if your system has been affected by malware or ransomware. “If your backups are connected and you do daily backups, if you have a ransomware attack and don’t discover it within one day, then … it will encrypt your daily backups.

    “You have to balance having your backups being not just done on a routine basis, but being taken offline,” Jenkins said, to ensure the data in those backups is out of harm’s way if the backup system is connected to other systems that might be compromised.

    It’s a matter of mindset

    Given the increasing number of potential cyberattacks, being prepared is “not a matter of if you’re going to get attacked,” Jenkins said. “This is a matter of when you’re going to get attacked.” Preparing a cyberattack recovery procedure when you’re not actively dealing with an attack is crucial so you can know how to respond when it’s time to shut down systems, restore data and resume operations.

    Above all, Jenkins said it’s important for medical groups to recognize that this is not simply a compliance issue or something for an IT team to fix. Rather, good cybersecurity “needs to be adopted and be part of daily practice” so your organization creates a mindset of being careful, and not viewing precautionary measures such as password changes as inconveniences.

    “This is an operational issue — technology cannot save us,” Jenkins said. “The biggest threat and the most important tool is the person sitting behind the keyboard. … If we don't give that end user the tools and the information they need to be safe, then we have failed.”

    Additional resources

    David N. Gans

    Written By

    David N. Gans, MSHA, FACMPE

    David Gans, MSHA, FACMPE, is a national authority on medical practice operations and health systems for the Medical Group Management Association (MGMA), the national association for medical practice leaders. He is an educational speaker, authors a regular Data Mine column in MGMA Connection magazine and is a resource on all areas of medical group practice management for association members. Mr. Gans retired from the United States Army Reserve in the grade of Colonel, is a Certified Medical Practice Executive and a Fellow in the American College of Medical Practice Executives.

    Explore Related Content

    More Podcasts

    Ask MGMA
    Reload 🗙