Oct 31 may be the last day for observing cybersecurity awareness month, but our responsibilities to “Protect the House” continue 24/7, every day of the year.
“Protect the House” was launched last year to increase awareness of the “dos and don’ts” when it comes to safeguarding sensitive information. It speaks to the responsibilities we have to protect both our “work home” and personal information, as well as safeguarding all sensitive information within UR, URMC, and UR Medicine affiliates, from landing in the hands of cybercriminals.
Protecting the university ‘house’ requires both:
- investments in modern hardware and software to fence off the perimeters, secure our systems and networks, and
- a security culture, where each of us recognizes threats like phishing and breaches so we can make smart decisions like using strong passwords and multi-factor authentication.
Investing in new digital applications and services in our research, patient care, and academic pursuits without also safeguarding our systems and networks exposes us to increasing levels of threats from cyber thieves who use increasingly sophisticated tools and methods to take advantage of human mistakes and fears.
Breaches are also costly, both in terms of operational disruptions and financial costs:
- The Joint Commission, a health care accreditation body warned that hospitals should anticipate for critical systems to be down for a month or longer if attacked.
- A May 2023 JAMA review of the 2021 Scripps Healthcare ransomware attack concluded and recommended that “targeted hospital cyberattacks may be associated with disruptions of health care delivery at non-targeted hospitals within a community and should be considered a regional disaster.” · In a recent IBM report, the cost of a healthcare data breach is estimated at nearly $11 million, a 53.3 percent increase from 2020. · Chicago-based CommonSpirit Health recently estimated the financial impact of a major cybersecurity event on Oct. 2, 2022, at $160 million, excluding lawsuits related to the ransomware attack.
- In addition, cyberattacks disrupt patient care, requiring organizations to scale back their care delivery. For example, Prospect Medical Holdings, a 16-hospital system based in Culver City, CA, just recovered from an Aug. 3, 2023 ransomware attack, after being offline for 40 days.
- Here at the university, URMC paid $3 million in settlement for information breaches in 2019 and we are still in the midst of implementing a multi-million-dollar multi-year corrective action plan.
These transformations are not easy and University leadership is acutely aware that we must balance good security control with the need for efficient access to information. Ultimately, the aim of our Protect the House program is to ensure that the right people have the right level of access to the right data and systems at the right time. However, technical solutions cannot do all the work. For us to be successful, we all must embrace changes and take seriously our responsibility to recognize and avoid threats, and prevent breaches.
Thank you in advance for all you are doing to help us Protect our House.
Julie Myers, VP of Information Technology & CIO, UR
Mark Ballister, Chief Information Security Officer
Jim Forrester, Chief Technology Officer, URMC
Nora Tabone, Chief Privacy Officer, URMC