June 19, 2017

Carter Groome • Chief Executive Officer
First Healthcare Advisory Solutions

Patient Trust in the Age of Cyber Terrorism

Terrorism comes in many forms, all with somber outcomes.  Healthcare delivery organizations must realize that they too, are a potential target.  The trust and confidence that patients (customers) have in their care providers is under assault.  Covered entities must recognize that brand and reputation damage is real when it comes to breaches, med-jacking, and obstruction of care.  Your security posture is already shaping patient safety and will soon factor into competitive advantage, or disadvantage, if you are not effectively communicating your cyber attentiveness with your customers.

Erie County Medical Center (ECMC) took weeks to mitigate the impact of their recent attack.  From a security standpoint they have leveraged recognized practice to successfully depress the more direct impacts on their patients. Nonetheless, ECMC and scores more are now in a situation where customers may consider diverting their care to other institutions over security or care availability concerns.  How can covered entities best address these concerns post attack and better promote awareness before something happens?

Providers are throwing around Madison Ave. themes with the savvy normally reserved for selling beverages, clothes and cars. Stickyness, loyalty and customer experience are all core topics of marketing and digital outreach in today’s care giving environment. The sizzle of new technology has always created distinctions in our market, so why the lag in promoting assurance and confidence in what we are trusted to protect.

“Too many initiatives fail not on the merit of the technology, but because the organization failed to successfully relay the value to the end users”, says David Butler, CMIO of NYC Health and Hospital. Those end users include the individuals who receive care and part of that value is instilling a sense of trust that new technology is secure. I cringe at making parallels between healthcare and banking, but in this case, banks have done a stellar job in cultivating faith in new technology through strong marketing.

Some organizations are beginning to recognize that value. Marc Probst, CIO of Intermountain Healthcare recently noted, “we advertise the quality of our care pretty well, we advertise the clinicians that we have, we advertise our services, if there’s a real trust gap there we need to start advertising what we’re doing to protect [patient] data and that we take it seriously.”  Others may think talking about this with your customers will make you even more of a target.  I understand the rationale but your organization is already a high value target.  Why not sensibly promote how important security is to your organization.

A 2017 JAMA study on hospitals breached more than once over the last 6 years noted several hospitals have had 4 reportable breaches.  There is no doubt some trust gaps are developing in our field.  It’s unacceptable that healthcare organizations are not taking security seriously, at the highest levels of leadership and throughout the culture of the workforce. Unfortunately, it’s only a matter of time before terrorism, in the form of ransom, denial of service or tampering will have the same sobering impact of the more traditional attacks we hear of almost weekly.  Information risk management and vigilant security hygiene are not guarantees against these threats, yet we have a responsibility to act on the best interests of the customer and sharing our security message and efforts through many channels is a great start to addressing that trust gap.

First Cyber Health Solutions, a Risk Management and HIT services firm, advises covered entities on how best to mitigate risk to your patients, systems and data.