Since 2010, Henry Ford has reported four possible data breaches. Like others in health care, Henry Ford is required by federal privacy laws to report breaches and notify patients their personal information may be used inappropriately.
Wheaton said Henry Ford has learned and improved from each incident, all of which have been caused by human error. One of the first changes the Detroit-based system made was to encrypt all its employee laptops and limit the use of flash drives, which are also encrypted in case they are stolen or lost.
"We take the potential of an attack very seriously," Wheaton said. "We regularly talk with leadership and develop security postures and controls. We are doing all we can. ... Humans are the weakest link."
Like other companies, Henry Ford has created a robust vendor risk-management program to ensure companies that it does business with also take cybersecurity seriously. "We won't go with suppliers that won't go through the process," she said.
Another big change has been to move Henry Ford's information privacy and security office from the information technology department and into the general counsel's office, Wheaton said.
"We are completely partnering with IT, but now I report to the general counsel. The change creates independence, which is a good thing and goes back to a risk-based approach to security," Wheaton said.
Henry Ford's board of trustees, who have elevated the risks of ransomware, malware and hacking to a top board and management priority, are more closely overseeing medical privacy and cybersecurity.
"The board is concerned. We are not unlike any other (large health care company). We have bad actors coming at us all the time. ... We see the data, the attempts. We see people responding. It's a fight," Wheaton said.
In a December 2017 cyberattack, Wheaton said an employee opened an e-mail and clicked on a link without realizing the e-mail was part of a phishing attack. "The user clicked on something (he or she) shouldn't have. We have key security controls. ... The security system contained it" and kept the malware from infecting the wider network.
The Moody's report says hospitals' electronic medical record systems are tempting targets because of the intimate information they contain on patients. However, connected medical devices also pose potentially patient safety risks.
For example, connected medical devices such as insulin pumps, defibrillators, pacemakers and cardiac monitors are points where hackers can gain entrance into computer systems, the classic "backdoor" infiltration.
But Wheaton said an even more serious patient safety threat is if a device is hacked and instructed to turn off or to change how it functions. Or if the hacking changes the patient's electronic medical record in a way that causes a doctor or nurse to misdiagnose or prescribe the wrong medication, she said.
"Medical devices are getting smarter, but there are vulnerabilities" from hacking, she said. "This is why I talk about our priority of patient safety. (When a device is hacked) there can be denial of service or the device can't communicate because it is flooded with information."
Gloss