Digitally mature hospitals perform better on safety, according to HIMSS study

https://www.digitalhealth.net/2023/04/himss-study-suggests-digitally-mature-hospitals-perform-better-on-safety

#DigitalHealth #hospitals #HIMSS #PatientExperience #PatientSafety

Document Sharing Across Network Topologies White Paper expands upon the concepts in the Health Information Exchange White Paper by providing additional guidance on how existing document sharing communities can be interconnected to form a unified federated exchange ecosystem. This type of ecosystem typically emerges in environments composed of several jurisdictions that each began developing their own health information exchange and now wish to become interconnected.
#HIMSS #TEFCA #FHIR #HealthIT
https://mailchi.mp/ihe/ihe-iti-tf-documents-published-for-pc-2023-03-03

The following is a bunch of interesting sound bites and statements I heard at day 1 of the #HIMSS Healthcare Cybersecurity Forum. These were hand written notes so if I quote someone it may be a tad off.

According to Danny Jenkins of ThreatLocker, adversaries are using commercial off the shelf backup software like Veeam to exfiltrate data. Honestly, I didn’t see that coming.

A fun sound bite also from Danny: “Doctors love programs that need to run as local admin”. So true.

On getting clinician buy-in for security spend you need to answer “what’s in it for my patients”. To me, this is hard. My brain keeps coming back to "exfil of patients records" and "downtime of medical services". Anything else?

I was aggravated by a panelist suggesting a way to value patient records is their going rate on the dark market. Thankfully, another panelist spoke up and said patients care about their own medical records as if they were their identity. The record may be $7 on the dark market but means everything to the patient.

Your security solution must not increase “mean time to EKG” where higher numbers leads to higher mortality. Imagine: “I’m sorry we weren’t able to save your mother because of the security systems in my way but don’t worry, her medical record is safe!”

On patching resistance with biomedical devices: FDA guidance says push updates and security tools as long as it doesn’t interfere with the core function.

Clinicians have dozens of critical emails to consume throughout the day. Do your phishing awareness but make it frictionless and help clinicians commit it to muscle memory, eg hovering over links, checking from addresses.

Cyber “have-nots”, vicious cycle: not enough money to do the things, therefore cyber insurance premiums increase, exacerbating the not enough money to do the things problem, leading to ransomware or extortion leading to less money to do the things and higher premiums. Expecting healthcare bankruptcies to increase.

Healthcare can setup regional resiliency. When a hospital gets hit with ransomware, nearby hospitals get flooded. Patients don’t stop getting sick. So figure out what it looks like to surge suddenly. Put agreements in place. Model the scenarios.

Clinicians, exercise your business continuity plans but not just for a few hours or days without an EHR but for weeks or months! Paper may not scale that long. What would weeks look like?

Regarding phishing training, reduce frequency for those who do well. Get out of their way. For those high clickers, offer some more personal training. They are likely susceptible to cons. Talk about physician burnout, imagine someone who also just had their personal bank account wiped.

Hospital in the “cyber 1%” had checked every box on an assessment and still had their cyber insurance go up 46%.

Discussed a few times, desire for a national funding of cyber for smaller hospitals.

Anand Oswal of Palo Alto sharing his definition of what zero trust means: “No notion of implied trust”. That's pretty concise to me. I like it.

Roshal Marshall of McKesson on meeting with your legal council and discussing your security program before an incident: “if you can’t explain it to your lawyer you’ll have a hard time explaining it in court”

#HITsecurity

I’m super excited for the #HIMSS Healthcare Cybersecurity Forum tomorrow. The last time I attended in person was Dec 2019 and I learned a ton. It was exciting to see healthcare CISOs organizing to provide actionable advice to help practices large and small. The world has changed so much since then. Of course the pandemic, but also the continued explosion in ransomware and extortion. Healthcare continues to be an easy target.

I want to help. I’m here to help. I’m not here as a vendor. I’m here to listen and learn.

#HITsecurity

Hoping to catch any new joiners… Anyone going to the #HIMSS Healthcare Cybersecurity Forum next month in #Boston? #HITsecurity #infosec #conference

Anyone going to the #HIMSS Healthcare Cybersecurity Forum next month in #Boston? #HITsecurity

Still ploughing through work at #HIMSS in #Orlando, but I wanted to extend a warm #croeso to all the new folks coming by to check us out, please say hi and make everyone feel at home - quite a few folks would like to practice their #Welsh @daf @scarletdave @platinum50 @Adrian @anniemo71 @dannywith @tokenwelshman @crwbran @PlanhigionArHap

Heading to #Orlando for the week to attend #HIMSS might be a bit quiet while I"m away. Keep the place humming along while I'm gone? 😎 ⚕️ ☀️