February 13, 2024
PART 1
BD recently collaborated with members of the College of Healthcare Information Management Executives (CHIME) on a webinar to discuss emerging cybersecurity risks. Panelists Kathryn Flores, AVP and CIO at UT Southwestern and Matthew Modica, CISM, CISO at BJC HealthCare, began by sharing their most pressing cybersecurity concerns. Flores expressed concern around the risk of data loss, while Modica stated that his primary concern is operational disruption due to legacy challenges. From there, the discussion turned to risks associated with Generative Artificial Intelligence (GenAI), third-party vendor management, legacy technologies, and more.
What security concerns do you have regarding the use of emerging technologies, such as AI and Chat GPT?
As both of their organizations are large academic medical centers, the panelists recognize the difficulties associated with controlling items used on their corporate networks. For example, scientists and professors often deploy systems straight from the internet, like ChatGPT, for their research and teaching. “We do have more control in the clinical space and are working with physicians to speed up the process for documentation in encounter notes. However, we are concerned with ‘hallucinations’ in large language models (LLMs) – false information that appears as if it was written by a human instead of machine – especially from a regulatory, compliance and legal perspective,” said Modica. “We have put guardrails and guidelines in place around AI capabilities to try to block some internet-based LLMs.”
What role should tech companies play when it comes to enabling organizations to manage risk?
Few organizations are able to do custom development in house; therefore, they must leverage their third-party vendor’s applications to manage and secure their data. “Vendors need to understand our business, pressure points, and time constraints for responding to patient concerns, and be there to protect our data as if it was their own,” said Modica. Flores added, “Having a good relationship with all vendors is essential. We know that large EMR vendors have the resources and staff to identify vulnerabilities and protect us. It’s the smaller, one-device manufacturers that need to be aware of regulations and threats and hold themselves accountable and support us.”
How has your approach to cybersecurity evolved over the last few years?
To move beyond the fundamentals, such as testing, validating, patching, monitoring and responding, organizations are now taking a more risk-based approach. “This starts with creating a security technology roadmap that utilizes a quarterly evaluation cycle to remain current,” said Modica. “The next step is cybersecurity maturity – establish a scale by which to measure, and then determine, achieve and maintain the selected target. Finally, prioritize and quantify those tasks that need to be done to continuously mitigate risk and share this information with leadership.” Flores also recommends “working closely with the chief strategy officer and general counsel to increase awareness and educate staff, put standards in place, and ensure adherence.”
How can vendors engage with you to give you what is needed to scale?
“At BJC, we have a clinical asset management team that manages all of our clinical devices and oversees vendor assessment,” said Modica. “Starting with procurement, we expect new and existing vendors to demo their product, its security features and scalability. We look for a fleet management approach to all of our devices, as it’s no longer sustainable for every machine to require a manual fix.” “In our Requests for Proposals (RFPs) and bids, we specify these types of requirements and check that there is a plan in place for mitigating events,” added Flores. “Vendors must continue to ‘up their game’ and build strong relationships with organizations to keep ahead of cybersecurity threats.”
How can vendors work across the spectrum of organizations – large and small – and be good corporate citizens?
By communicating with and providing ongoing support for their customers, vendors build strong relationships, regardless of the size of the organization. “This is especially true for smaller organizations that might not have the resources and staff to effectively mitigate cybersecurity risks, but still need to protect their data,” said Flores. “Companies become good corporate citizens by giving back and educating their customers,” added Modica. “They should develop a playbook based on organizations of varying sizes and locations and be able to identify the typical security configurations they need and why. Their destinies are shaped by the realities of what might happen to any one of them, and they are only as strong as the weakest link.” Technology landscapes continues to evolve, and these resources provide valuable information for organizations of all sizes.