Few industries present as complex a dilemma when securing systems and data than healthcare. Just like an intricate puzzle with interlocking pieces, patient care and medical services demand an encompassing approach to safeguarding sensitive information and fortifying networks, systems, and devices. Within this jig-sawed landscape, healthcare organizations must navigate the curves and alcoves of protecting patient records, preserving the personal data privacy, and adapting infrastructure to withstand the ongoing and ever-evolving industry threats. The stakes are high, as connecting every piece of the cybersecurity puzzle is crucial to maintain trust, ensure patient well-being, and empower providers to confidently navigate the digital age.
In 2022, cyberattacks targeting healthcare organizations rose by 86% compared to 2021, placing it in the top three industries threatened by malicious actors. This trend is correlated to the increased understanding that patient data is more valuable than credit card information on the black market, as breached patient records sell for up to $1,000 on the dark web. Cybercriminals increasingly use tactics like ransomware, insider threats, and service provider attacks to steal this treasure leading to significant financial and operational impacts, with an average cost of $10.10 million per breach.
With the Rise of AI, What IP Disputes in Healthcare Are Likely to Emerge?
Munck Wilson Mandala Partner Greg Howison shared his perspective on some of the legal ramifications around AI, IP, connected devices and the data they generate, in response to emailed questions.
Against this backdrop, securing systems and data in healthcare becomes even more challenging. While the industry, on average, allots 4-7% of its IT budget to cybersecurity, critical infrastructure sectors such as banking invest 10-15% or more in protecting their assets. Compounding the issue is the pressing global demand for an additional 3.4 million cybersecurity professionals across industries, leaving healthcare competing for skilled professionals. Many talented individuals who began their careers in healthcare are enticed by industries with greater financial resources and potentially easier challenges. This exodus leaves healthcare searching for skilled cybersecurity puzzle solvers, whose presence has become increasingly vital in a world grappling with escalating threats and vulnerabilities.
But should the solution fall squarely on the shoulders of IT? Healthcare executives must recognize the 10,000-piece cybersecurity puzzle is more likely solved by engaging leaders throughout the organization to share in responsibility instead of dropping the box of pieces on the desk of the CIO to solve alone. They should acknowledge the puzzle extends far beyond the realm of data breaches and financial losses; it encompasses the critical elements of patient safety, staff welfare, and the overall stability and reputation of the organization. And they should acknowledge their role in leading these efforts.
A team effort
When solving the puzzle, healthcare executives need to consider a range of unique factors specific to the healthcare industry that IT, if left alone to decipher, might not be in a position to fully respond:
A Personalized Approach to Medication Nonadherence
At the Abarca Forward conference earlier this year, George Van Antwerp, managing director at Deloitte, discussed how social determinants of health and a personalized member experience can improve medication adherence and health outcomes.
- Executives need to ensure cybersecurity measures do not compromise patient safety. For instance, if medical devices or systems are taken offline due to a cyber-attack, could it lead to a delay in patient care and potentially harm patient outcomes? Are clinicians coordinating with cybersecurity to ensure patient safety?
- What about the revenue cycle (billing, claims processing, and payment collection), which is closely tied to the organization’s ability to deliver patient care? Remember, cyber threats not only pose a risk to patient data and privacy but also to the financial stability of the organization. Do non-clinicians coordinate with cybersecurity on access, availability, and recovery risks and corresponding control design?
- Healthcare organizations are subject to a range of regulations such as HIPAA and the HITECH Act that require them to protect patient data. Executives need to ensure that cybersecurity measures are in alignment with these requirements to avoid costly fines and legal liability. Are compliance and legal working with IT to stay within regulation?
- Healthcare organizations often work with third-party vendors such as medical device manufacturers and cloud service providers. Executives need to ensure that these vendors have appropriate measures in place to protect patient data, and that legal language is in place to protect the organization in the event of a failure at the third-party.
- With limited resources, executives need to prioritize investments in cybersecurity based on the risks they face. According to the Federal Bureau of Investigation’s 2022 Internet Crime Report, healthcare organizations are at a higher risk of ransomware attacks than organizations in any other sector. Clearly ransomware and its modes of delivery should be the highest priority to those responsible for cybersecurity in healthcare. How aware are executives on the levels of resiliency needed to serve patients compared to the controls developed to provide that resilience?
- After a breach, health systems tend to spend 64% more on marketing than at pre-breach levels. Healthcare organizations rely on patient trust, and a data breach can lead to reputational damage that can impact the bottom line. Executives need to consider the potential reputational impact when assessing protection measures. Are PR and marketing working with cybersecurity to ensure they are involved when needed?
These are just a few pieces executives should recognize when considering their overall responsibility for leading the organization.
Placing the pieces: A framework for cyber risk management
With this advanced understanding, forward-thinking leaders have a unique opportunity to prioritize an organization-wide strategic approach embracing the interconnectivity of people, processes, and technology to navigate the cybersecurity puzzle with confidence, protect critical assets, enable patient well-being, and establish organizational resilience.
- Initial assessment: Conduct an independent assessment of the organization’s cybersecurity capabilities, vulnerabilities, and readiness, considering people, processes, and technology. Identify areas for organizational involvement and improvement and prioritize actions based on risks and resources.
- Foster collaboration: Engage stakeholders from various departments to foster a culture of shared responsibility and collective problem-solving. Collaborate with IT teams, clinical staff, operations managers, legal and compliance officers, and executive leadership to address cybersecurity challenges comprehensively.
- Prioritize investments: Allocate resources strategically to enhance network defenses, implement robust access controls, conduct regular staff training, ensure compliance with regulations, and address identified vulnerabilities effectively.
- Build resilience: Integrate resilience into response and recovery from cyber threats. This involves coordinating Business Continuity, Disaster Recovery, and Incident Response plans, conducting regular drills and simulations, establishing effective backup and recovery strategies, and implementing proactive measures to detect and mitigate threats. By building resilience, organizations can minimize the impact of cyber incidents, maintain continuity of operations, and swiftly return to normalcy, ensuring the safety of patients, staff, and critical systems.
- Ongoing audit & improvement: Establish mechanisms for regular independent cybersecurity assessments, IT and HIPAA compliance audits, threat intelligence sharing, and monitoring of emerging trends. Stay agile and responsive, adapting cybersecurity strategies to address findings and challenges promptly.
- Collaboration & knowledge sharing: Foster collaboration and knowledge sharing within the organization and across the healthcare industry. Participate in information-sharing networks, industry associations, and public-private partnerships to enhance cybersecurity practices, learning from others’ experiences.
Solving the puzzle
Piecing together a comprehensive cybersecurity program requires constant attentiveness, a focus on people, processes, and technology, and efforts to adapt to new challenges. Yet, we can only stay ahead of the attackers and help ensure the trust and confidence of patients and stakeholders if we foster collaboration and maintain ongoing organization-wide vigilance. A puzzle will never be complete with missing pieces. Organizations need to understand the importance of each part that makes up their cybersecurity program and, through a unified effort, put them all together.
Photo: anyaberkut, Getty Images
Joe Oleksak, CISSP, CRISC is a partner with the cybersecurity practice at Plante Moran. He has a B.B.A. in finance and management information systems, belongs to the Information Systems Audit and Control Association, and is a member of the International Information Systems Security Certification Consortium. He and his team are passionate about finding and fixing security holes that might otherwise leave businesses vulnerable to attack.
