Gerry Blass, President & CEO, ComplyAssistant, and Francois Bodhuin, Technology Director and CISO, Inspira Health are scheduled to speak at the New Jersey & Metro Philadelphia HFMA Annual Institute on October 26, 2022. A summary of their presentation can be found below.
Gerry and Francois will review strategies and tactics for health care organizations to consider for reducing cybersecurity risks (Prevent) and for being prepared with a business continuity plan if and when a successful attack occurs (Prepare). The world has witnessed increased attacks each year, and many more are predicted, primarily due to sanctions placed on Russia and their desire to retaliate and the United States. Healthcare in the US is considered a primary target for attackers. We have heard about large healthcare organizations that were completely “down” due to a ransomware attack. The downtime extended beyond two to three days up to four to five weeks. The business and patient safety impacts of a four to five-week downtime can be extreme. Most departmental business continuity plans were designed to address the shorter downtime scenarios and need to be updated to address extended downtimes. Gerry and Francois will cover the potential impacts of extended downtimes, both from a business and patient safety standpoint. They will discuss the impacts experienced by a large healthcare system.
As mentioned above, this session will cover how to Prevent and how to Prepare:
Prevent – Gerry and Francois will cover governance, risk, and compliance activities healthcare organizations should include in their annual risk assessment/mitigation program and identify an inventory of privacy and security tools to consider. They will also focus on the Health Industry Cybersecurity Practices (HICP) framework, which extends HIPAA Security into addressing cybersecurity threats and recognized security practices (aka controls).
Prepare – Gerry and Francois will review the latest guidance from HSCC – Operational Continuity Cyber Incident (OCCI) that can be used to assess current Business Continuity Plans and update them as needed to address the potential for extended downtimes. The guidance serves as a tool for assessment and a checklist to follow during an actual incident.
Risk Register – Gerry and Francois will demonstrate how a Risk Register will help healthcare organizations identify residual risk in relation to cybersecurity threats vs. controls that have been implemented to reduce inherent risk. For example, high inherent risk related to a threat can be reduced to lower residual risk when controls are implemented. A Risk Register is a tool that helps organize this ongoing process and make its management more efficient.