Vulnerabilities Remain Unaddressed, Says One Cybersecurity Expert

In honor of Cybersecurity Awareness Month, Healthcare Innovation spoke with George Pappas, CEO of Intraprise Health, a healthcare-focused cybersecurity firm. Pappas shares that in his previous position as COO of DrFirst, he saw the gap between the healthcare IT infrastructure and the growing threat from cyberattacks.

The global CrowdStrike Outage on July 19 revealed that some organizations are vulnerable to cyberattacks. “Many of our clients face challenges due to limited cybersecurity investment and the accumulation of risk-management ‘debt’ from years of underinvestment,” says Pappas. “While many organizations have implemented tools and systems to address commonly understood risks—such as endpoint detection and security operations centers (SOC)—the complexity of even mid-sized hospital systems leaves numerous vulnerabilities unaddressed.”

“A mid-sized hospital could have hundreds of third-party applications and partners accessing protected health information (PHI) or critical systems without being rigorously risk-managed,” Pappas underscores.

Unified risk management is also a pressing concern, Pappas points out. “Many organizations deal with fragmented sources of risk data from various subsystems, leading to gaps in assessment.” Pappas advises that data gets consolidated into a unified risk register to provide an overview of risks, potential impact, and prioritization.

“Cybersecurity is a team effort,” Pappas believes. However, he adds, CISOs find themselves responsible for areas beyond their direct control. A key lesson, he notes, is the focus on collaboration, communications, and transparency. “Building strong relationships with the Board of Directors or Audit Committee is essential to bring corporate leadership into the decision-making process, ensuring they understand the tradeoffs between cybersecurity investments and liability risks.”

Being prepared for cybersecurity incidents before they occur is critical, Pappas says, and it should involve senior leadership, PR, and patient engagement departments. “During a real cyberattack, every minute counts, and the pressure on leadership and communication teams will be immense.” Conducting drills and refining an incident response playbook can have significant benefits, Pappas advises. The drills, he reiterates, help staff in developing muscle memory to react effectively in a controlled environment.

Asked about additional advice for healthcare leaders, Pappas replies, “The entire leadership team needs to be more aware of the risks and investment tradeoffs along with their potential impact on patient safety, care delivery and organizational liability.  In many organizations, the responsibility for this area is split between legal/regulatory and IT; it is critical that these two groups jointly engage with the broader leadership team with unity.”

“The federal government and the cyber insurance industry are raising the bar on effective risk management,” Pappas adds. “New York State is in the late stages of adopting a stringent cybersecurity risk management regulation and the Federal Government has several proposals in process that expect to be implemented in 2025.”

“In healthcare,” Pappas says, “much of the focus is on protecting PHI (Protected Health Information), but there’s a new and highly sensitive addition that requires special attention: DNA.” He explains, “while DNA plays a crucial role in advancing precision medicine, pharmacogenomics, and improving health outcomes, the potential consequences of DNA being stolen during a cyberattack are severe. The theft of such data could result in long-lasting harm to patients and raises serious concerns about data security in healthcare systems.”

“Cyber insurance is still in its infancy – leaders should be methodical in their approach to securing coverage and checking for conflicts,” Pappas concludes.