Lance Alston, Nathan Littauer Hospital's IT director
Photo: Lance Alston
Rural hospitals face significant cybersecurity challenges due to limited resources, including funding and limited access to a skilled health IT workforce. While attracting and retaining cybersecurity expertise are difficult, small and rural hospitals also heavily rely upon third-party vendors for essential services, which increases a hospital's potential exposure to security risks.
To defend against these threats, some form strategic partnerships with cybersecurity firms. It's a proactive cyber-defense approach that can help lower-resourced hospitals stay ahead of evolving threats and build their security resilience – even with a small internal IT team and a limited training budget.
Accessing expertise like a virtual chief information security officer (vCISO) and a Security Operations Center (SOC) can also help these hospitals align their practices with industry standards.
Nathan Littauer Hospital in Gloversville, New York, tapped security resources to address developing roadmaps for compliance, using risk assessments to guide investment decisions and ensure that progress continues despite financial constraints and the additional layer of complying with New York's Hospital Cybersecurity Law.
While stronger cybersecurity is needed, communicating these changes to end users is crucial for successful adoption and to prevent operational disruptions, according to Lance Alston, the hospital's IT director.
The financial burden of implementing the state's mandated changes, including multifactor authentication and infrastructure upgrades, competes with day-to-day operational costs and increases the reporting workload for hospitals, he explains in the following Q&A.
Q. What has been your experience with cybersecurity resource challenges, and how has it most affected your hospital's operations?
A. Rural healthcare is not alone in the struggle for cybersecurity resources.
However, our struggles can be compounded by the same limitations that make rural healthcare a staple for many communities in the United States. We are presented, as are many rural hospitals, with limited funding opportunities, limited access to qualified cybersecurity personnel and a general sense of uncertainty from our patients as well as our staff. Attracting and retaining cybersecurity expertise in a rural market adds to this challenge, and we also rely heavily on third-party vendors for critical services, which increases our exposure if partners are not equally secure.
My current concern regarding challenges to operations is not related to past interruptions, but major changes to our future state that stand to present several changes for the end user simultaneously. While all of the changes are definitely improvements to our current state, providing routine updates and education to end users in the meantime should help with the successful adoption of new measures as they are rolled out.
Q. Cybersecurity practices are constantly evolving. What does your team do to stay ahead of threats and keep current with best practices to protect networks?
A. Our internal team strives to stay up-to-date with newly discovered threats as well as best practices for protecting our internal network.
That being said, smaller IT teams coupled with a limited training budget present challenges for the organization. To support these challenges, Nathan Littauer Hospital decided to enter into a strategic partnership with Clearwater Security to help bolster our current environment and assist with the discovery and mitigation of new and existing threats to our environment.
Our IT leadership team partnered with an external vCISO and SOC and has been able to steer our organization towards cybersecurity best practices. We are aligning our efforts to the 405(d) Health Industry Cybersecurity Practices for small organizations and have developed a formal incident response plan to strengthen our preparedness for potential events.
Q. What are some of the extra challenges rural hospitals in New York face with the state's Hospital Cybersecurity Law, which became effective last year?
A. Primarily, additional expectations with already limited technology budgets.
We have been able to develop a roadmap towards compliance with the established Hospital Cybersecurity Law, but the financial burden of bringing everything up to standard likely makes timely compliance an issue for our organization and many others in our situation.
The likes of a full rollout of MFA, various auditing software requirements, mandated upgrades to aging infrastructure and operating systems, amongst other things, are obviously crucial, but they carry a hefty price tag, especially considering the day-to-day operational costs of normal business must go on uninterrupted.
In addition to technology requirements, the law also places new emphasis on governance – such as board-level reporting and annual policy approval – which adds to the administrative workload for smaller facilities. These external resources have supported us in sequencing these requirements into a practical roadmap so that progress continues despite financial constraints.
Q. What learnings can you share about performing the law’s required risk assessment and then building or reinforcing your organization's cybersecurity program to address gaps found?
A. The risk assessment process shed light on a few specific details for myself and the rest of the IT team at NLH.
First off, it emphasized the detail needed to accurately complete a true organizational risk analysis. Just about the time you think you’ve got everything laid out and all of the details in order, one small statement during a conversation suddenly explodes into a completely new subset of interviews and conversations.
Another observation was the level of stress and uncertainty the process naturally generates for employees of all levels of technological skill sets.
Whether an interviewee from a clinical setting or our most tenured IT professional on staff, it became increasingly difficult to convince people that this process was not targeted at shortcomings associated to personnel, but more associated to processes and safeguards currently in place.
Through the entire interview process, we tried to emphasize the importance of honest feedback as part of the risk analysis. -Lance Alston, IT director at Nathan Littauer Hospital
Upon completion, I was surprised at the volume of positive feedback and recommendations provided to our department from employees who participated in interviews with the external security services team.
It seems as though providing them the opportunity to talk through their normal workflows and issues helped bring the majority of our staff on board with our reinforcement of our cybersecurity program. It's definitely still a work in progress, but I feel that this laid the foundation for communication preferences going forward for NLH. The process not only produced a risk register but also gave our leadership team a clear roadmap to guide investment decisions. This helped ensure that the assessment was more than a compliance exercise — it became a tool for planning and improvement.
Q. Undetected weaknesses and vulnerabilities within an organization's IT infrastructure can still be present even with large, well-resourced cybersecurity teams managing hospital networks. What are your tips for seeing beyond the blind spots?
A. A crystal ball would be great!
All jokes aside, I try to emphasize the importance of visibility and accessibility of our IT department to other departments within our organization. Through rounding, engagement and follow-up, participation in workflow committee meetings and various other outlets, our IT staff is able to develop relationships and better understand clinical and non-clinical workflows of our facility end users.
Being that humans continue to be a top threat to cybersecurity amongst all industries, effective professional communication is essential, in my opinion. We also rely on continuous monitoring and external validation provided through our partnership, which helps us identify technical vulnerabilities and misconfigurations that may not surface through staff engagement alone. This blend of human feedback and technical oversight gives us greater confidence that blind spots are being addressed.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.
