It’s not easy to get the necessary resources to ensure your organization is able to prevent and properly respond to ransomware attacks. But as the number of attacks increase in the health care industry, it’s vital that organizations put the right people and resources in place. Here’s how Integra Managed Care has responded to the growing threats and why your organization may want to follow the managed long-term care plan’s lead.
Maura McGrath oversees compliance and privacy at Integra Managed Care, a New York State managed long term care plan designed for adults living with long-term disabilities. Michael Meyn supervises cybersecurity at the organization.
In most organizations, the two departments would act as separate silos. In fact, that’s how it used to work at Integra Managed Care. But now they are the organization’s dynamic duo, ensuring that the two departments work together to protect the organization from cybersecurity attacks.
It’s a partnership that began 1 ½ years ago when McGrath came on board as Integra’s chief compliance and privacy officer, and Meyn, chief information security officer (CISO), approached her to work with him on cybersecurity efforts.
The partnership provides Meyn (pictured right) with a seat at the organization’s compliance committee and an opportunity to explain risks, internal activities, and the goals of the department. Meyn handles communication and training on cybersecurity issues and McGrath makes sure staff understand the HIPAA privacy rule and how to appropriately protect member information. The roles are very visible within the organization and provide staff with people they can turn to if they have a question or concern on compliance, privacy, or cybersecurity.
“We can brainstorm off each other. We can work together, especially when it comes to third parties like vendors, determining whether we are utilizing them well and how much of a risk this vendor is to our organization. So, it’s not just looking at it from a compliance perspective or a privacy perspective but also looking at it from a cybersecurity perspective,” he said.
The two will discuss the unique partnership at RISE’s upcoming virtual seminar, Cybersecurity Governance and Controls for Health Care, Oct. 20-21. Their session is a case study on best practices that attendees can use to establish a similar program at their organizations.
“In my role as the compliance officer,” McGrath said, “I have some responsibility to understand what is happening in the arena of cybersecurity. There is some overlap between security and privacy where we can leverage each other’s experience and authority in a way because you need to get the organization to do certain things to protect the organization, and I think we can better accomplish that in partnership rather than in isolation because then we have a uniform message.”
McGrath (pictured right) said Meyn takes the full lead in cybersecurity and uses “lay language” to help her understand what the department is doing. “I don't have the training or education to understand cybersecurity, but at least in my role as compliance officer, I have a lot of reassurance that a lot is happening and that they're trying to stay ahead of the cybersecurity attacks that are out there,” she said.
One of the tools Meyn uses to educate staff is through “phishing campaigns.” Every month the department sends a fake email to all employees to see if they will be tricked and click on a link or enter their password. If they do, the employees get a message they were fooled by Integra’s phishing campaign and must take remediation training. “People are now on super high alert,” he said. “People are now constantly sending me emails asking are you trying to trick me? But I think we’ve made a lot of progress with that and getting everyone to understand how important this is and how easy it is to be fooled,” he said.
McGrath and Meyn said they are pleased to speak at the virtual event and share how the partnership works because cybersecurity and ransomware attacks are only going to escalate within health care and other industries. It’s become a multimillion-dollar business and it takes less than 10 minutes for an attack to take place and gain access to an organization’s system, according to Meyn. As a result, it’s important that health care organizations have the resources and experts in place to serve in compliance and security roles.
But it’s often hard for organizations to truly understand why they need to invest money and resources into cybersecurity when they don’t have the funds to support patient care, McGrath said. “It takes a tremendous amount of resources to protect the organization against cyber security,” she said. “Those resources mean things like having to use consultants, hire the staff you need, even those phishing campaigns take a lot of staff time. Our organization understands this and is able to allocate the resources, but that’s definitely not always true, especially in a nonprofit health care setting because it’s hard to do and organizations, sometimes they just don’t have the resources. But then, as Mike said, a breach is way more costly,” she said.
McGrath and Meyn will present “Case Study: Best Practices for CCO-CISO Partnerships and Organizational Structure” 12:15 to 1 p.m. EST, Thursday, Oct. 21, as part of the virtual seminar, Cybersecurity Governance and Controls for Health Care. Click here to learn more about the event, including the full agenda, speakers, and how to register.