Editor’s note: Syed Kaptan is a director of North American threat intelligence engineering at data-driven security operations company ThreatQuotient. He was originally a network security planner at Verizon.
Since the onset of COVID-19, factors including remote work, new systems to support it, staffing challenges, and elevated patient care requirements have significantly increased cyber risk in the healthcare sector. A new study found that 89% of healthcare organizations surveyed experienced at least one cyberattack in the last 12 months.
Each of the four types of cyberattacks analyzed — cloud compromise, ransomware, supply chain and business email compromise — all had a negative impact on patient care, with ransomware being the most damaging. Of the 41% of organizations citing a ransomware attack, 67% reported an impact to patient care and 24% reported a rise in mortality rates.
Although we’re entering a post-COVID era, many of the factors straining the healthcare industry will continue and we can expect additional risk factors to kick in.
A lot of analysts are predicting we’re on the verge of recession. When this happens, cybersecurity investments in the healthcare industry will likely suffer. Already, a majority of healthcare cybersecurity professionals surveyed report just 6% or less of their IT budgets are allocated to cybersecurity, compared to the industry average of 21%. Healthcare organizations tend to view cybersecurity as an expense that eats into the bottom line. While healthcare security leaders often tell me that they are trying to position cybersecurity as a competitive differentiator, they are not quite there yet and budgets are still lacking.
In some cases, a hesitance to shift IT spending to cybersecurity is because the technologies currently in use in the backend office are old, legacy systems. The priority is to upgrade them first before allocating some of that money to invest in cybersecurity tools. While this does help thwart ransomware and other attacks that take advantage of vulnerabilities in these systems, direct investment in cybersecurity is still required.
Another factor impacting cybersecurity budgets is that many smaller healthcare companies mistakenly think they are below the radar and not attractive targets for cyber criminals. In fact, the data suggests that attacks against these smaller healthcare companies like regional hospitals, specialty clinics and physician groups are on the rise.
The view of cybersecurity as an expense goes hand-in-hand with another challenge, the shortage of IT security talent. Organizations in sectors that prioritize security spending like technology, financial services, telecommunications and energy are better positioned to win the battle for talent.
They offer attractive compensation packages with more career advancement opportunities. They also offer the opportunity to work with the newest and latest cybersecurity tools and technologies. Healthcare organizations do not offer these bells and whistles and are often not seen as the first choice for cybersecurity job seekers.
Data privacy and security regulations are more restrictive in healthcare and with good reason. Beyond the financial implications organizations across sectors face when they fail to satisfy mandates, people’s lives can be impacted when a healthcare organization experiences a breach, so there is less room for error.
Telehealth and the use of electronic health records will continue to expand, so we can expect even more data sharing between healthcare providers and with patients. Whenever there is a rise in data interoperability, the risk of data loss increases.
Attacks on technologies and tools — including records systems, patient monitoring systems and wearable devices— can be devastating. So, maintaining data privacy and protecting these systems from being hacked is increasingly important.
Healthcare organizations have amazing IT technologies in place to improve patient outcomes. However, they still lag other industries in terms of cybersecurity investment and continue to view cybersecurity as an expense. The lessons we can learn from the Tenet Healthcare attack earlier this year can help change that.
In their Q2 earnings report, Tenet quantified the financial impact of a major cyberattack that disrupted some of its acute care operations and required a suspension of user access to certain systems. While the company’s hospitals remained operational and continued to deliver patient care using backup processes, quarterly earnings went down approximately $100 million due to the attack.
Using that number as an example, every healthcare organization needs to assess their potential for financial loss due to a cyberattack. Downtime, cost to restore systems, reputation loss, lawsuits and fines and penalties drive up expenses.
Cybersecurity leaders have an opportunity to create a strong business case for improved cybersecurity that will help secure additional budget and address healthcare’s inherent talent and compliance challenges.
Another way to help reframe thinking is to take a page from the retail industry, which looks at theft as a cost of doing business. Retailers budget for and reduce “shrinkage” by investing in specific technologies and processes.
If healthcare organizations can start to view cybersecurity investments similarly and budget appropriately so they are prepared for a cyberattack, they can proactively mitigate risk.
The cybersecurity adage still holds true, “It’s not a matter of if, but when and how we’ll be attacked.” Given all these risk factors, it’s no surprise that cyberattacks are becoming more prevalent in the healthcare industry. By reframing thinking to view cybersecurity as a business enabler, not an expense, healthcare organizations can overcome the unique cybersecurity challenges they face and mitigate the risk to their bottom line and, more importantly, to their patients.