Owensboro Health on Taking Cyber Risk Management Beyond the EHR

Redefining Cyber Risk Management

“We knew there were better strategies than rushing through a risk assessment at the end of every year to check a compliance box,” says Jackie Mattingly, CISO at Owensboro Health.

Mattingly explained that using an isolated approach to cyber risk management meant most of their efforts were focused around their EHR, leaving multiple other risks across the organization unidentified and therefore, unremedied.

“Most of these major EHR systems have a pretty good grip on security for their systems. We use Epic and they have things pretty well buckled up,” Mattingly said. “They’ll actually notify us if they detect an incident but it’s the many other ancillary systems we use that pose a greater threat. You really have to assess risk across the enterprise.”

It can be challenging to get everyone on board with an enterprise cyber risk management program. Mattingly explained that it’s easy for a hospital or health system to find themselves siloed in their approach to security because vendors sell apps, devices, and software to different decision makers across the organization. It would be easy for someone in a clinical specialty to make a purchasing decision for technology that can improve diagnostics and patient outcomes without realizing that the technology violates certain aspects of the organization’s security policies.

Mattingly says this doesn’t mean a purchase gets shuts down, but rather that their Cyber Security Committee reviews and documents all the risks and finds other ways to isolate and remedy the risks posed by the vendor’s software.

“We’re all in this for patients,” Mattingly said, “so if it’s the best thing for the patient we will take a look at how we can use the technology safely within the organization while still protecting our systems, assets, and most importantly, patient data.”

Confidence in the Face of an OCR Investigation

Owensboro Health has been working with Clearwater since 2016, utilizing the IRM|Pro® software to assess, document, and remedy threats and vulnerabilities. Clearwater’s consulting team has helped Owensboro conduct risk analysis, workforce training, mock OCR audits, and more. Mattingly says the partnership was key when they found themselves face to face with an OCR investigation a few years ago.

“The team involved in the OCR investigation got on the phone and when we told the OCR that we were working with Clearwater they were satisfied. They said, ‘you’re good.’ It could have gone on longer and had a different outcome but working with Clearwater gave us and the OCR a different level of confidence that we were covering our bases.” Mattingly said.

Early in 2021, Owensboro Health decided to expand their cyber risk management strategy and initiate a continuous, comprehensive enterprise cyber risk management program through Clearwater’s managed services program, ClearConfidence™.

Mattingly says she meets weekly with the Clearwater team to assess systems and risk across the organization. Gone is the panic at the end of the year or the surprise when it comes time to conduct interviews. She says the organization is more familiar with the questions they ask, and the process for managing cyber risk and protecting patient data is now widely accepted and appreciated. As an executive leader, Mattingly says that having Clearwater’s team of industry experts to bounce ideas off or help tackle complex risks is key to ensuring the organization is secure against the ever-changing threat landscape in healthcare.

“We’re all in this together, and it takes a village to combat what we’re dealing with today in the current cybersecurity environment,” says Mattingly. “We’re all fighting the same fight to protect our data and take care of our patients; I think this partnership will continue to grow.”

Deliverables: 

  • Create a comprehensive cyber risk management program to reduce inefficiencies and create organizational buy-in to critical cybersecurity standards and policies
  • Deliver ongoing risk assessment on new and existing information assets
  • Partner in ongoing strategies to enable the organization to leverage innovative technology while protecting patient data

Outcomes: 

  • Clearwater’s ClearConfidence™ managed services program equips Owensboro Health with access to industry experts to help troubleshoot and remedy organizational threats and vulnerabilities continuously
  • Weekly meetings between Owensboro Health’s team and Clearwater ensure risk is assessed on an ongoing basis and risks analysis is continually updated
  • Owensboro Health employees understand, prepare, and participate in ongoing cyber risk management initiatives with better familiarity and a shared understanding of the value and importance of the program

More Success Stories

Navigating the HIPAA Privacy Rule for Reproductive Healthcare: Compliance Essentials Before the December 2024 Deadline

Navigating the HIPAA Privacy Rule for Reproductive Healthcare: Compliance Essentials Before the December 2024 Deadline

In an era where the privacy of reproductive healthcare has become a topic for debate, healthcare organizations face growing fears and challenges over the potential misuse of sensitive patient data. Recent legal developments, coupled with the shifts following the Dobbs v. Jackson decision, have shown the urgent need for robust safeguards. Notably, the December 23, 2024 compliance deadline for the HIPAA Privacy Rule Final Rule to Support Reproductive Health Care Privacy offers a pivotal moment to address these concerns.
The Health Care Cybersecurity and Resiliency Act of 2024: Key Takeaways and Implications

The Health Care Cybersecurity and Resiliency Act of 2024: Key Takeaways and Implications

The Cybersecurity and Resiliency Act (HCCRA) of 2024 is yet another proposed bill aimed at strengthening the healthcare sector’s cybersecurity posture and resilience. It focuses on improving coordination between government organizations, updating cybersecurity standards, increasing breach reporting requirements, and providing grants to rural healthcare organizations that lack both financial and human resources needed to address growing cybersecurity vulnerabilities and increasing threats.

Connect
With Us