By Mackenna Moralez, Associate Editor

It has been a critical year for cybersecurity as more hospitals and other healthcare facilities have become victims to cyberattacks.  

As previously reported by Healthcare Facilities Today, Ascension confirmed a ransomware attack in May after the company detected suspicious activities on its network systems. Weeks after the attack, the organization is still working with external experts to determine if sensitive patient information was compromised.  

The cyberattack against Ascension is not the first time this has occurred in the healthcare industry, nor will it be the last. According to a report from Verizon, 525 cyber incidents took place against healthcare facilities in 2023. The report found that 98 percent of breaches were financially motivated, with 66 percent of breaches occurring externally while 35 percent were internal. Among the data compromised, 67 percent were personal, 54 percent were medical and 36 percent were credentials.  

Related: Lessons to Learn from the Ascension Ransomware Attack

To help aid in the prevention of these attacks, DNV has launched the first cybersecurity certification for hospitals, the Advanced Healthcare Cybersecurity Certification. It aims to help healthcare professionals better identify and address gaps and areas for improvement in their security systems.  

The certification focuses on comprehensive security risk management in the hospital environment, encompassing cybersecurity, privacy, automation, AI and the Internet of Medical Things (IoMT).  

To achieve full Advanced Healthcare Cybersecurity Certification, hospitals must comply with program requirements which include: 

• Quality management system – plan and develop the processes needed for cybersecurity risk management service delivery 
• Program management – The personnel working in the AHCC program are appropriately trained and meet all applicable rules, codes and guidelines 
• Medical staff management – The AHCC leadership shall determine specific quality performance data 
• Staffing management – AHCC leadership shall provide continuing education to staff members assigned to the program 
• Patient rights - The organization shall inform each patient and/or legal representative of the patient’s rights in advance of providing or discontinuing care and allow the patient to exercise his or her rights consistent with regulatory statues governing patient safety, data privacy and data security 
• Medical record service – The organization shall comply with all applicable rules, guidelines and requirements regarding medical records services, including data security 
• Physical environment management – The organization shall determine, provide and maintain the infrastructure needed to achieve conformity to the AHCC program requirements, including buildings, cloud storage, data, workspace, and associated utilities, process equipment, mobile devices, hardware, software, cloud services provider 
• Advanced healthcare cybersecurity service delivery – AHCC leadership shall plan and develop the processes needed for cybersecurity risk management service delivery 

Mackenna Moralez is the associate editor for the facilities market.