Academic journal article Frontiers of Health Services Management

A Holistic Approach to Cybersecurity Starts at the Top

Academic journal article Frontiers of Health Services Management

A Holistic Approach to Cybersecurity Starts at the Top

Article excerpt

Over the past several years, healthcare organizations have become highly valued targets for enemy nation states, organized criminals, and even "hacktivists" who want to draw attention to their causes. To address the increasing frequency and severity of attacks, healthcare organizations have had to develop capabilities in cybersecurity. Cybersecurity in healthcare includes defensive measures and activities to prevent exploitation or misuse of information technology (IT) and data assets such as medical devices, patient databases, and network infrastructures (Healthcare and Public Health Sector Cybersecurity Working Group 2013).

The organizations featured in this issue of Frontiers of Health Services Management, Virtua and Sentara Healthcare, are at the forefront of addressing cybersecurity in a holistic manner. The authors of both feature articles describe cybersecurity approaches that include people, process, and technology. Successful cybersecurity relies on all three components working together. Additionally, Virtua and Sentara see cybersecurity as a business enabler and patient care issue.

Like Virtua and Sentara, Premera Blue Cross takes a comprehensive view of cybersecurity. Premera, a not-for-profit Blue Cross Blue Shield-licensed health insurance company headquartered in Mountlake Terrace, Washington, serves two million customers in Washington and Alaska. The company, with more than 3,250 employees, has a network of more than 38,000 healthcare providers. The cybersecurity program at Premera recognizes the enterprise-level importance of and responsibility for protecting information through the implementation of all necessary tools, techniques, and practices. To that end, Premera's experiences align with those of Virtua and Sentara. From my perspective, there are also lessons learned that emphasize leveraging people, process, and technology together while making cybersecurity an enterprise concern that is recognized by the C-suite and governing board.

Impact and Evolution

Healthcare networks have been officially considered part of the United States' critical infrastructure since the release in 2013 of Executive Order No. 13636 ("Improving Critical Infrastructure Cyber security"). The value of data in a medical record and the potential disruption to the care delivery system can place healthcare organizations in cyber criminals' crosshairs. As Puliin sees it at Virtua (and correctly so), cybersecurity is imperative in healthcare organizations because it is a patient safety matter.

Cybersecurity concerns have risen to the level of the CEO and governing board. No longer is cybersecurity seen only as an IT problem with IT solutions. If healthcare organizations are to address information risk properly, all individuals must perform according to their prescribed roles and responsibilities, including the C-suite. In their feature article describing Sentara's perspective, Reagin and Gentry state that successful cybersecurity starts at the top. In fact, it is significant that the authors of both feature articles are C-level executives and are well versed in the key aspects of cybersecurity. At their level of influence, their position that cybersecurity is a team sport as well as a patient care and safety issue can drive organizational change and culture. As a chief information security officer (CISO) who has supported two organizations through post-data breach recovery, I endorse their positions.

People: Cybersecurity Takes a Village

Cybersecurity cannot be the sole responsibility of the CISO and his or her IT staff, and no amount of funding or technological advances will change that fact. As at Virtua and Sentara, every person at Premera is responsible for safeguarding the sensitive and personal data they handle daily. This responsibility begins with the senior-most leaders. Pullin calls for a board-level IT committee, while Reagin and Gentry describe the value of engaging leadership in the conversation. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.