Issue link: https://beckershealthcare.uberflip.com/i/1405817
51 CIO / HEALTH IT 'Every CEO, at this point, is now in the business of cybersecurity': How hospitals should rethink threat defenses By Jackie Drees A s cyberattacks on hospitals and health systems continue to escalate, the role of chief information security officer must evolve to adequately protect patients' information and have a more prominent role in the business, according to a July 10 report in e San Diego Union-Tribune. "Every CEO, at this point, is now in the busi- ness of cybersecurity," Lisa Easterly, CEO of the San Diego Cyber Center of Excellence, told the publication. "ey need to be en- gaged and understand what the risk is on a real-time basis; the threat landscape is ever evolving and becoming more sophisticated." Seven things to know: 1. e average cost of a secure data breach is more than $7 million in the healthcare in- dustry, according to an IBM study. Hackers can affect a hospital's financials just as much as malpractice lawsuits, bad investments or changing economic conditions. 2. While CISOs are generally responsible for keeping track of cyber vulnerabilities and preparing incident response plans, their reach to the CEO appears to be somewhat rare in healthcare. 3. In San Diego, no CISOs at healthcare orga- nizations are among the executive teams that report directly to CEOs; many report directly to the CIO or chief technology officer, accord- ing to an informal survey of local healthcare organizations, the publication reported. 4. Hospital IT departments generally are more focused on keeping equipment run- ning and on digital transformation process- es, said Michael Hamilton, co-founder of Se- attle-based information security consulting firm CI Security. "e CIO is concerned with keeping the lights on; if the stuff is working, don't mess with it," he said. "Having to carve out that budget for security means that the digital transformation work is not going to get done and that's the stuff that makes money for the business, and security can get sidelined." 5. Balancing IT budgets between digital trans- formation and cybersecurity protections can be a problem for many organizations, which some are solving by removing information security from IT to lessen the chances of com- peting interests, Ms. Easterly said. 6. Hospital executives must understand and demand resources to combat new cyber threats with the same resourcefulness they use to address all other aspects of business; CISOs are in the best position to communicate this advice and knowledge to executive leaders, but they oen have trouble explaining their technical findings in a way that boardroom audiences will understand, Mr. Hamilton said. 7. An organization's initial thought to han- dle cybersecurity may be to name the best technical expert the CISO, but this can end up backfiring if that person isn't willing to strengthen their understanding of the busi- ness they're trying to protect. "A big part of the problem is that people who have come up through this technical track need to go out and get a damn MBA," Mr. Hamilton said. "Yes, the CEO should prob- ably learn something about cyber, but the CISO, even more so, needs to know more about business." n CMS proposes extending certain Medicare telehealth provisions through 2023: 5 details By Jackie Drees T he Biden administration has proposed expanding telehealth reimbursement for behavioral healthcare services as part of its proposed 2022 Physician Fee Schedule, which CMS unveiled July 13. The proposed rule includes payment rates for Medicare next year as well as several other policy proposals that could affect physicians. Here are five things to know about the proposed rule's telehealth components: 1. CMS wants to pay providers for giving certain mental and behavioral healthcare services to patients via au- dio-only telehealth calls. However, payment would only be met under certain services including counseling and thera- py for opioid treatment. 2. The Physician Fee Schedule eliminated geographic re- strictions that could be a barrier to telehealth services for mental health. Under the rule, patients also would be able to access telehealth in their own homes. 3. If finalized, the rule would cover telehealth used for diagno- sis, evaluation and treatment of mental health disorders and also would pay physicians for mental health visits delivered via telehealth to rural and vulnerable patient populations. 4. CMS also proposed allowing certain services that have been added to the Medicare telehealth list to remain cov- ered through the end of Dec. 31, 2023, so that "there is a glide path to evaluate whether the services should be permanently added to the telehealth list following the COVID-19 [public health emergency]." 5. Stakeholders can comment on the proposed rule through Sept. 13. n