New Cyber Health Strategy Protects Privacy, Mitigates Risks and Fosters Patient Confidence

The healthcare industry has become an increasingly popular target of cybercriminals. In 2021, medical organizations were the most common victims of third-party attacks, accounting for 33% of all such incidents, according to an article in Security magazine.

“Patients trust us with what’s most precious to them – their lives, their privacy and their future. Cybercrime undermines that trust,” says Vugar Zeynalov, Chief Information Security Officer at Cleveland Clinic. “Cyber incidents are not just about losing data. They are about losing patients’ confidence, undermining safety and impacting care availability.”

Crafting strategy around care priorities

In 2021, Cleveland Clinic launched a new three-year cybersecurity strategy that encompasses four principal goals:

• Reduce cyber risk – Empower care and innovation by managing the organization’s top cyber risks.
• Enable seamless experiences – Enrich the caregiver experience and reduce security fatigue.
• Demonstrate operational excellence – Invest in caregivers, technologies and processes to grow and run at optimal velocity.
• Advance cyber health – Secure the future of digital care and prepare tomorrow’s caregivers.

“Cleveland Clinic has a deep sense of purpose, pride and excellence that proliferates across the entire culture,” says Zeynalov. “It’s important to us to instill those values into the cybersecurity team as well.”

As part of the strategy, the cybersecurity team developed a set of objectives and key results that align with Cleveland Clinic’s four care priorities:

Care for Patients – Patients expect reliable care technologies, safe medical devices and privacy related to their sensitive information.

“Cyber is like healthcare in many ways,” explains Zeynalov. “We prevent every threat we can; and whatever we can’t prevent, we hope to detect early so we can respond quickly and recover with minimum impact to the organization.”

Care for Caregivers – Objectives include continuing operations during disruptions, educating caregivers on cybersecurity without overwhelming them and providing easy access to digital platforms.

To meet these objectives, Cleveland Clinic is focused on developing and testing business resiliency plans for all its institutes, hospitals and divisions to ensure that no critical system outage lasts more than eight hours. In addition, it will expand targeted, role-based cyber training to all caregivers.

Care for Organization – “We want to make sure digital relationships are protected and trusted, and we remain compliant with government and industry regulations,” says Zeynalov.

Cleveland Clinic will complete an evaluation and protection process for all high-risk third parties, roll out standard protections to newly acquired entities and expand compliance with healthcare and credit card regulations to new sites.

Care for Community – “We have an opportunity to educate the community at large, as well as recruit and retain world-class cybersecurity talent,” explains Zeynalov.

By 2023, Cleveland Clinic will launch a cybersecurity curriculum for caregivers establish a cyber health research laboratory and work with corporate partners in the information technology industry to advance healthcare and research data protections.

Six tips for building a cybersecurity strategy

Zeynalov offers advice to other healthcare organizations on developing a cybersecurity strategy:

• Understand the patient journey within your organization. “When we created our cybersecurity strategy, we started with the journey of the patient – from admission to discharge – to understand any friction cybersecurity creates by doing or not doing something,” he says. Zeynalov and his team visited nearly all of Cleveland Clinic’s locations.
• Meet with key leaders to learn what’s important to them. Understanding leaders’ expectations and aspirations will help guide sound decisions, says Zeynalov. In addition, he emphasizes the importance of maintaining solid relationships with leaders so that when a cyber breach occurs, the organization can communicate effectively and recover more quickly.
• Build the strategy with clinicians. “Cybersecurity as an industry is notorious for making things harder for people,” says Zeynalov. “Creating a task force that includes clinicians allows them to shape cybersecurity strategy from their vantage point and fosters a sense of shared responsibility.”
• Use simple language. “Avoid technical language whenever possible,” he says. “Your cybersecurity professionals should speak the language of the organization and understand how the work they do aligns with the enterprise as a whole.”
• Adhere to the health system’s vision and mission. “Instill the culture of care, purpose and excellence into the cybersecurity team. We’re here to care for people, not just computers,” says Zeynalov.
• Share cyber best practices with other healthcare organizations. “Cybersecurity is one area in which providers can’t afford to compete,” he says. “Criminals are sharing their exploit techniques; healthcare providers should share defense strategies.”

Fighting cybercrime in healthcare is a collective effort, concludes Zeynalov.

“Preparation begins internally with the cybersecurity team and must expand outward to include other departments within each organization, ultimately extending to other partners that provide direct aid, such as law enforcement,” he says. “We must all, as an industry, collaborate to ensure patients have access to the best care when they need it.”