Archives     Advertise     Editorial Calendar     Subscribe     Contact Us    

Fighting the Good Fight

Dan Dodson

Fortified Health Security Arming Healthcare Systems in the Cybersecurity War

If the thought of a cybersecurity breach to your bank is terrifying, imagine the fallout for a healthcare organization tasked with protecting the financial, personal and medical information of millions of patients.

Cyber attacks can make or break a health system, shaking the confidence of patients and providers. That's where Fortified Health Security comes in. Founded in 2009, the Franklin-based company is quickly becoming an industry leader, partnering with more than 100 health systems and hundreds of hospitals in 35 states.

The New War in Healthcare

"Cybersecurity is a battle, and it's one that requires continuous engagement," said Dan Dodson, president of Fortified Health Security. "Our healthcare clients need a partner that understands healthcare and cybersecurity, because there's a uniqueness in healthcare that other industries don't face."

Dodson said a common misconception among healthcare executives is the perceived and actual value of their security program. Every day, a healthcare system gets hacked. Once detected, administrators typically drop big money on exceptionally pricey technology aimed at preventing future attacks. Problem is, it's rarely used to its full potential.

"Oftentimes, the technology is so advanced that no one really knows how to run it," Dodson explained. "The perceived value of that investment and actual value is astronomically different, and that's a gap we have to bridge."

He encourages executives to stop thinking about the next shiny box and instead make sure their investment in security technology is being maximized. Fortified staff members work with an organization's existing technology to maximize results and walk alongside IT staff to provide training and ongoing support. "We're an extension of the security team, as our role is to make sure people are leveraging expertise and best practices, and making sure the person on the ground is informed and making the best decisions for the healthcare organization," he said.

Industry Challenges

When it comes to securing healthcare systems, complications can arise from a number of natural restraints. In any other industry, systems might be shut down briefly for updates. In a 24/7 hospital, temporary shutdowns can impact patient care and disrupt operations. Dodson said that not understanding how to manage temporary halts to clinical workflow creates a serious challenge for many big box security companies.

Staffing poses an additional challenge, as healthcare companies compete to attract, train and retain IT talent. Dodson estimated 20 to 50 percent of a hospital's IT staff are using the position as a career stepping stone, while the rest are in it for the long haul. Fortified works with IT leaders to train and increase retention rates among IT personnel.

Another obstacle is the evolving dynamic among the physician, healthcare organization and patient. That's because today's patient-as-a-consumer model demands complete access to online health information. Likewise, physicians now access patient data on all their own devices - a tremendous cybersecurity concern that Fortified has worked to successfully tackle. The company recently won awards for addressing the unique technical challenges associated with securing medical devices, which requires technology, people and processes unique to healthcare. Outsourced billing - not often found under the same security umbrella - creates yet another threat.

"As an administrator, you don't want to restrict your physicians and mess with their workflow because they can go somewhere else, as can your fee-for-service patients," said Dodson. "You have to understand how to make changes technically but also transform the organization's culture through new processes."

Cause & Effect

For many companies, that lesson is learned too late. Data shows hospitals that go public after compromising patient information in a data breach can lose up to 40 percent of their patients - a trickle-down effect impacting physicians, as well. That's because today's patient has a choice in where he or she receives surgery, radiology and imaging services - the moneymakers for most health systems.

"Executives have to ask, can I afford a 40 percent drop in patient choice for high revenue and profitability areas?" Dodson asked. "Most can't even afford a three percent drop."

Mid-Year Horizon Report

For hospitals, it's not about if a breach will occur, but when. Fortified Health Security recently released their Mid-Year Horizon Report, which examines the state of cybersecurity in healthcare. According to their findings, "2018 has seen attack momentum increase and new hacking groups formalize with greater sophistication and focus than ever before."

A key finding was that provider organizations have been compromised more in 2018 than health plans. It also found that most healthcare organizations aren't allocating enough capital to keep up with the attackers, given tight budgets, competing internal priorities and overall financial pressures. The report states that, "According to the U.S. Department of Health and Human Services Office for Civil Rights (OCR), this has been the case since 2009.

The OCR Wall of Shame highlighted that in the first week of 2018, there were four major breaches containing more than 500 patient records. This is the same number of breaches reported in the first week of 2017, but the momentum has increased from there. Through the first five months of 2018, there have been 149 breaches reported with over 2.8 million patients impacted, as compared to 134 breaches impacting 2.0 million patients during the same period in 2017. This represents an 11 percent increase in the number of entities impacted by a breach and a 35 percent increase in the number of individuals affected.

While provider organizations appear to have been more heavily targeted so far in 2018, that doesn't' mean health plans have been left alone. Through May of 2018, health plans reported 24 breaches versus 15 in the same time period last year. Similarly, business associates reported 12 breaches in the first five months compared to seven breaches during the same time period in 2017.

The report also addresses benefits and critiques of the FDA's Medical Device Safety Plan, as well as the National Institute of Standards and Technology's Version 1.1 of its Cybersecurity Framework. Both plans were released in April. (A link to the downloadable Fortified Health Security mid-yeaer report is available online at

Dodson co-authored the mid-year report and noted email continues to be a key launching point for attacks. "The sophistication of attackers is unbelievable, because they can outsmart technology and rules to make themselves look like the organization," he said. "For health systems, it's a difficult challenge to keep up with it all, as you're always working to educate employees as well as patients."

A New Way of Thinking

Dodson regularly hears from frustrated chief information officers that administrators simply don't understand cybersecurity risks ... or why throwing high-dollar technology at the problem won't solve it. He challenges administrators to consider how management of cybersecurity risks is interwoven into every hospital initiative. "They need to start managing cybersecurity risks no different than they would clinical risks," he said. "It takes proactive measures, and administrators need to look at the issue holistically."


Fortified Health Security

Healthcare Cybersecurity Mid-Year Horizon Report


Related Articles:

Recent Articles

Self-Care on the Front Lines of Coronavirus

Physicians, nurses, respiratory therapists and the full complement of support staff at hospitals and clinics are battling coronavirus on the front lines. When caring for others, it's all too easy to forget to take care of yourself.

Read More

The Onsite Foundation Announces New Virtual Support Group for Frontline Healthcare Workers and Medical Staff as part of 'Support in Service' Program

The Onsite Foundation, a 501(c)(3) non-profit public charity, today announced a new support group offering under the Foundation's 'Support in Service' program for frontline healthcare workers and medical staff across the country affected by the COVID-19 pandemic.

Read More

New Study Looks at Cost Impact of OTC Birth Control

A new study explores the impact on unintended pregnancies, consistent use of progestin-only OTC birth control pills at various price points.

Read More

Behavioral Health in a Time of Social Isolation

Last month, the Nashville Health Care Council brought together experts for a virtual panel discussion on behavioral health in the midst of social distancing orders.

Read More

COVID-19 & Mental Health

As the virus takes its toll, providers are finding new ways to reach patients and preparing for the mental health fallout ahead.

Read More

Sharing Best Practices in Behavioral Health

Nashville-based online video service provides evidence-based training to public and providers.

Read More

May is Mental Health Month

May is Mental Health Month with excellent resources from national organizations for both patients and providers.

Read More

Business Insights

Read More

Celebrating 15 Years of Incredible Leaders

Following are the 15 classes of Women to Watch. Some of these trailblazers have happily retired after a career of service. Others have moved to other positions and taken up new challenges since they were first recognized.

Read More

New Study Looks at Cost Impact of OTC Birth Control

A new study explores the impact on unintended pregnancies, consistent use of progestin-only OTC birth control pills at various price points.

Read More

Email Print



Cybersecurity, Dan Dodson, Fortified Health Security, Health Information Security, Healthcare Breach, Healthcare Hack, OCR Wall of Shame
Powered by Bondware
News Publishing Software

The browser you are using is outdated!

You may not be getting all you can out of your browsing experience
and may be open to security risks!

Consider upgrading to the latest version of your browser or choose on below: