Blog, Case Studies

Owensboro Health on Taking Cyber Risk Management Beyond the EHR

Redefining Cyber Risk Management

“We knew there were better strategies than rushing through a risk assessment at the end of every year to check a compliance box,” says Jackie Mattingly, CISO at Owensboro Health.

Mattingly explained that using an isolated approach to cyber risk management meant most of their efforts were focused around their EHR, leaving multiple other risks across the organization unidentified and therefore, unremedied.

“Most of these major EHR systems have a pretty good grip on security for their systems. We use Epic and they have things pretty well buckled up,” Mattingly said. “They’ll actually notify us if they detect an incident but it’s the many other ancillary systems we use that pose a greater threat. You really have to assess risk across the enterprise.”

It can be challenging to get everyone on board with an enterprise cyber risk management program. Mattingly explained that it’s easy for a hospital or health system to find themselves siloed in their approach to security because vendors sell apps, devices, and software to different decision makers across the organization. It would be easy for someone in a clinical specialty to make a purchasing decision for technology that can improve diagnostics and patient outcomes without realizing that the technology violates certain aspects of the organization’s security policies.

Mattingly says this doesn’t mean a purchase gets shuts down, but rather that their Cyber Security Committee reviews and documents all the risks and finds other ways to isolate and remedy the risks posed by the vendor’s software.

“We’re all in this for patients,” Mattingly said, “so if it’s the best thing for the patient we will take a look at how we can use the technology safely within the organization while still protecting our systems, assets, and most importantly, patient data.”

Confidence in the Face of an OCR Investigation

Owensboro Health has been working with Clearwater since 2016, utilizing the IRM|Pro® software to assess, document, and remedy threats and vulnerabilities. Clearwater’s consulting team has helped Owensboro conduct risk analysis, workforce training, mock OCR audits, and more. Mattingly says the partnership was key when they found themselves face to face with an OCR investigation a few years ago.

“The team involved in the OCR investigation got on the phone and when we told the OCR that we were working with Clearwater they were satisfied. They said, ‘you’re good.’ It could have gone on longer and had a different outcome but working with Clearwater gave us and the OCR a different level of confidence that we were covering our bases.” Mattingly said.

Early in 2021, Owensboro Health decided to expand their cyber risk management strategy and initiate a continuous, comprehensive enterprise cyber risk management program through Clearwater’s managed services program, ClearConfidence™.

Mattingly says she meets weekly with the Clearwater team to assess systems and risk across the organization. Gone is the panic at the end of the year or the surprise when it comes time to conduct interviews. She says the organization is more familiar with the questions they ask, and the process for managing cyber risk and protecting patient data is now widely accepted and appreciated. As an executive leader, Mattingly says that having Clearwater’s team of industry experts to bounce ideas off or help tackle complex risks is key to ensuring the organization is secure against the ever-changing threat landscape in healthcare.

“We’re all in this together, and it takes a village to combat what we’re dealing with today in the current cybersecurity environment,” says Mattingly. “We’re all fighting the same fight to protect our data and take care of our patients; I think this partnership will continue to grow.”

Deliverables: 

  • Create a comprehensive cyber risk management program to reduce inefficiencies and create organizational buy-in to critical cybersecurity standards and policies
  • Deliver ongoing risk assessment on new and existing information assets
  • Partner in ongoing strategies to enable the organization to leverage innovative technology while protecting patient data

Outcomes: 

  • Clearwater’s ClearConfidence™ managed services program equips Owensboro Health with access to industry experts to help troubleshoot and remedy organizational threats and vulnerabilities continuously
  • Weekly meetings between Owensboro Health’s team and Clearwater ensure risk is assessed on an ongoing basis and risks analysis is continually updated
  • Owensboro Health employees understand, prepare, and participate in ongoing cyber risk management initiatives with better familiarity and a shared understanding of the value and importance of the program

Back to All Resources

Download Case Study

More Success Stories

Clearwater Cyber Briefing: Key Trends and Takeaways for October 2024

Clearwater Cyber Briefing: Key Trends and Takeaways for October 2024

Blog
In today’s ever-evolving threat landscape, staying ahead of cybersecurity risks is more critical than ever for healthcare organizations. That’s why, each month, Clearwater Security delivers a Cyber Briefing, providing a comprehensive digest of the latest news, emerging threats, and key updates from across the healthcare cybersecurity ecosystem.
Read More
Perspective on the Proposed Health Infrastructure Security and Accountability Act

Perspective on the Proposed Health Infrastructure Security and Accountability Act

Blog
The Health Infrastructure Security and Accountability Act (HISAA) introduced in the U.S. Senate on September 26 is another good step forward in addressing key factors contributing to the healthcare sector’s deficiency in establishing and maintaining adequate cybersecurity controls and risk management programs. While there are many in the sector that are already implementing recognized standards, having mandated standards would help to make sure everyone is playing by the same rules.
Read More

Connect
With Us