Why Healthcare Needs MBA-Equipped Administrators to Fight Cybercrime
Cyberattacks are on the rise. Because of the rich and vast amounts of data held by hospitals and health centers, they have become the target of many of these attacks. As a result, these institutions are in need of administrators with a unique understanding of the space in which health data exists, strong management skills, and the ability to create security initiatives designed to balance accessibility to that data by staff and patients with the very real need to protect it.
Despite this need, hospital IT departments are consumed with Electronic Health Records projects, and management has been slow to prioritize and fund cybersecurity projects. This shortage of qualified personnel, along with the value of the data it holds has caused healthcare to be the most cyber attacked industry in the last year.
Common Types of Cybersecurity Attacks
Ransomware has been a major problem for hospitals over the last year, and unless things change that trend is likely to continue. There are a few common keys to cybersecurity missing from many hospitals, including dormant accounts, excessive user permissions, and encryption and honeypots are missing in many hospitals.
This makes them vulnerable to several types of attacks:
- Malware: An attacker puts some kind of malicious software on a server or other device that is designed to interfere with the way the server should work.
- Exploiting Weakness: Often attackers find a fault in the data structure of a hospital, and use those weaknesses to gain access.
- Guessing: Attackers are able to do this because of likely usernames, and employees who use common (and horrible) passwords that are easy to break.
- Deceptive Interaction: An employee or user is tricked into opening an email with malicious software or providing a hacker with their password or other information.
These are only a few of the ways that hackers can access to hospital software and data. Prevention and dealing effectively with these types of attacks when they occur is crucial to any digital security strategy.
One of the keys to preventing cyber attacks is to have an aggressive strategy for managing risk. Besides maintaining frequent digital backups and performing regular internal security audits, it is essential to implement other risk management measures.
- Establish a core cybersecurity team who are responsible for identifying risks and establishing procedures to ensure that if an attack were to occur, it will do as little damage as possible. The creation and management of this team falls under the responsibilities of the hospital administration.
- Keeping in mind the Cybersecurity Framework being drafted by the National Institute of Standards and Technology, develop a plan for responding efficiently to cybersecurity attacks and investigating them to determine the source and cause of the attack.
- In June of 2013, the FDA established guidelines that hospitals must ensure that all equipment is not infected with malware, and include intrusion detection and prevention software. Administrators should ensure that all equipment currently being used meets these standards.
- Network with other security officials and hospitals, constantly updating hospital policies and response procedures to keep up with the ever changing cyber security world.
- Ensure hospital insurance coverage is updated to cover loss and potential liabilities involved with cyber security.
Risk management is just one of the many reasons hospitals need well trained administrators who are familiar with the rise in cyber attacks and the ways to deal with them.
To effectively deal with cybersecurity, hospital management will need to not only be aware of and manage risks, but will also have to hire and retain personnel capable of dealing with them effectively. This involves a few key components:
Attracting the right personnel.
Because of the shortage of qualified cybersecurity professionals, particularly in the healthcare field, employees have more choices than ever about where they will work. As a result, an employer must stand out to the employee.
- Company Culture. An organization needs to be seen in the community and by your employees as a great place to work. This includes your core values and how they align with those of your staff. Company culture can be greatly influenced by who a manager chooses to recruit and retain.
- Compensation. Compensation not only includes salaries and bonuses, but relocation incentives and more. Healthcare managers should ensure that their compensation packages fall in line with other organizations competing for prospective employees.
- Benefits. From health insurance to paid time off, your benefit package needs to be competitive and reasonably generous.
- Intangibles: Gym memberships, on site daycare, and many other perks are not necessarily included in compensation or benefit packages, but can be an important part of attracting the right employees.
Once you have hired the right employees, you have just begun the process. Retention of the right people is just as important.
Keeping good people can be equally as hard as attracting them. Companies are competing for the best talent, and keeping employees satisfied is essential.
- Engagement: Keeping employees engaged is about constant job fulfillment. What satisfied an employee at the beginning of their tenure will not remain enough. As the employee grows with an organization, so do their needs and expectations. An employer must stay cognisant of those things, and continue to offer opportunities for fulfillment.
- Stay Interviews: Besides interviewing new employees and those who are leaving, conducting “stay interviews” helps managers determine what is and is not working for them, and how issues can be corrected to prevent them from leaving.
- Say Thanks: Bonuses are nice, but a thank you can go a long way. Healthcare managers should go out of their way to let employees know they are doing a good job, and that it is appreciated.
Those who seek an MBA with an emphasis in healthcare are not only prepared to manage risks and cyber security issues, they also learn skills needed to deal with the hiring and retention of employees.
When the unthinkable happens, and a cyber attack does occur, healthcare organizations need managers who are trained in managing crisis, and determining how to resolve them quickly and mitigate the impact they have on patients and staff.
Communicate Early and Effectively.
If a crisis occurs, leaders must communicate early and effectively, explaining that they are aware of an issue and are working to correct it. This communication can occur in several ways:
- Social Media. Using social media is a good way to openly communicate, but leaders must keep in mind the ethics of social media and healthcare professionals, leaving out details and personal information while still getting a message across.
- News Outlets. Is the news big enough that it should be shared with traditional news outlets? Press releases and conferences still play a role in active communication with the public.
- Internal and Confidential Information. An effective manager must communicate clearly with employees in a crisis, letting them know how to handle confidential information, and what is expected of them until the crisis is resolved.
Once the lines of communication have been opened, a manager must also manage other aspects of the crisis.
Take Corrective Action:
Managers must work with teams to close security gaps as quickly as possible, and correct any weakness in the system to prevent the same thing from happening again.
Once the problem has been corrected, management needs to apologize for the inconvenience to staff and patients without admitting fault, and explaining what corrective action and preventative measures are being taken to change the future and prevent such disaster from happening again.
Healthcare needs MBA equipped administrators to help them fight cybercrime. The skills they learn when studying for an MBA with an emphasis in healthcare at Marylhurst University prepare them to understand the types of cyberattacks, manage risks, find and retain the best employees, and deal with crisis if the worst happens.