Learn how your hospital can outsmart cybercriminals 

Healthcare CFOs have a lot on their minds. So much so that we’ve teased out what’s on their minds into a visualization that we call the CFO Mind Map. 

But there’s one thing that could really blow their minds entirely—along with their organization’s clinical, financial, operational, and reputational performance—and that’s a major cybersecurity attack.  

We’ll be talking about healthcare cybersecurity at this year’s Summit Elevate conference, held April 23-25 at the Grand Hyatt Tampa Bay in Tampa, Florida. This invitation-only event is designed for healthcare CFOs and senior-level leadership.   

At Summit Elevate, John Norenberg, Kodiak’s Vice President for IT and Cybersecurity, will lead a briefing on the latest cybersecurity trends, regulatory environment, and strategies to combat this growing threat.   

We won’t steal John’s thunder here. But we will steal and share some of the takeaways from our most recent thought leadership pieces on cybersecurity. Think of them as appetizers before John’s main course.   

In “3 ways to boost your cybersecurity,” John offers a trio of recommendations for how hospitals, health systems, and medical practices can fortify their defenses against cyberattacks. John recommends:  

• Using complete datasets, not data samplings, in assessing an organization’s cybersecurity risks to avoid missing a gap or hole in an organization’s defenses.  
• Embracing AI-powered technology to cover more ground automatically rather than adding more to the plate of existing internal audit staff.  
• Using technology to continuously monitor for risk as cybercriminals are working 24/7 to find a gap or hole in an organization’s defenses.  

In “Making sense of the new HIPAA Security Rule,” John breaks down what the new rule would do and not do. The public comment period on the new rule ended in early March. It’s unclear when and if the new rule will become final and when its requirements would take effect. Still, John shares six things CEOs, CFOs, and boards of directors can do now to ensure their organizations are in the best position to comply with the new rule when and if it becomes law:  

• Invest in IT governance.  
• Elevate cybersecurity in management discussions.  
• Inventory all IT assets.  
• Analyze the effectiveness of current cybersecurity people, processes, and technology.  
• Consider the budgetary impact of complying with the new rule.  
• Have a third party conduct a mock assessment of current cybersecurity controls.  

In “A deep dive into healthcare providers’ cyber defenses,” to be released at Summit Elevate, John reveals six weak spots he identified in the cyber defenses of hospitals, health systems, and medical practices after working with an outside firm to conduct mock assessments of provider organizations. The six biggest weak spots are:  

• Unsecured sensitive information everywhere.  
• Spotty patch management.  
• Technical vulnerabilities in the network.  
• Weak evidence of change control.  
• Improperly set up cyber tools.  
• Broken incident response processes.  

In the yet-to-be-published “Effective enterprise risk management: Double clicking on IT and cybersecurity,” Dan Yunker, Kodiak’s Senior Vice President for Risk and Compliance, joins the cybersecurity discussion by highlighting the most recent findings from Kodiak’s Top Risks 2024 report and why healthcare governing boards, not just audit teams, should take them seriously. Dan offers five strategies for governing boards to manage the IT risks at their organizations:  

• Modernize risk assessment.  
• Don’t sleep on cybersecurity.  
• Make staff training a priority.  
• Adopt continuous monitoring.  
• Invest in IT risk management and cybersecurity.  

What’s the biggest takeaway from these four thought leadership pieces on healthcare cybersecurity? The threat landscape in healthcare is evolving so fast in number and sophistication of attacks that it’s difficult if not impossible for a single internal audit team to keep up. Additional technology and expertise will be necessary to safeguard an organization’s clinical, financial, operational, and reputational performance 24/7.  

If you’re a healthcare CFO or in senior financial leadership at your organization, attend John’s briefing at Summit Elevate and learn more about how you can do your part to protect your hospital, health system, or medical practice from cyberattacks.  

Read more about what we’re talking about at Summit Elevate:  

• “Speak simply but carry some big numbers.”  
• “Stable. For now.”