Contributor: Vidya Murthy, WEMBA’42
To learn more about Vidya, click here.
Healthcare has long been a target of cybercriminals. And unfortunately, as the focus on the global pandemic has persisted, threat actors that once promised to leave healthcare alone through COVID, are no longer patiently waiting, but instead are taking advantage of an overwhelmed health system and the opportunities offered to them.
Pre-COVID, a lot of cybersecurity failures were pitted on employee/human factor failures where employees fell for phishing or other social engineering tactics. But one cannot dismiss that healthcare is an industry under attack - in the last quarter of 2019 alone, there was a 350% year-over-year increase in ransomware attacks on healthcare entities, and 2020 has seen an increase as well.
The Department of Health and Human Services (HHS) noted a 50% increase in healthcare cybersecurity breaches during the first half of 2020. There may be some correlation to the rapid digitalization health systems adopted to deliver remote patient care, telehealth, and enabling remote workers. And expectedly, the cybersecurity problem plaguing healthcare has not gone unnoticed by patients - with 48% of patients being unwilling to use telehealth solutions again if their data had been exploited due to a breach.
These attacks, overnight digitalization, and the pandemic effect confirm we need to change our strategy as an industry, begging the questions, “How much will this cost, and who’s going to pay for it?”
What is the cost in healthcare?
The 2020 Cost of Data Breach Study confirmed the average time for a healthcare organization to identify a breach is 329 days - which is 93 days longer than the financial industry. This directly translates to real dollars and cents: the average total cost of a data breach in the healthcare industry is $7.13 million - the highest industry for the tenth year in a row.
While 13 of the 17 industries assessed experienced a drop in the cost of a breach, the total damage in healthcare, whether to patients, devices, care delivery systems, or reputation - is consistently high.
How does the spend compare?
Financial institutions, an industry with a mature cybersecurity posture, have allocated significant funding to invest in technologies that protect client assets. A study by Deloitte found an average of 10.9% of IT budgets were slated for cybersecurity in the sector. Hospitals and healthcare providers, on the other hand, have dedicated 3%-4% of their IT budgets to cybersecurity.
All spend is not equal - it is insufficient to simply double cybersecurity spend in healthcare to reach a more secure state. Instead, we need to be strategic and shift security up the supply chain.
Moving up the supply chain
With threats coming in from seemingly every angle, the current strategy of mostly relying on hospitals to “be secure” must be revisited. We’ve had a decade to try and almost exclusively solve this from the hospital side, and it hasn’t been effective - and it was probably unrealistic to expect so. Layer in the push for care outside the four walls of a hospital, and it becomes evident hospital-based security won’t work.
Shifting up the supply chain means implementing proactive security measures across all connected attributes of healthcare - whether it’s an electronic medical record system, medical device, cloud service, or telehealth application - these must be designed and implemented with security in mind. There are very tactical practices that can begin today without having to recreate your health system:
- Make purchasing decisions that understand cybersecurity risks as key criteria and not a “tick the box” exercise.
- Establish policies for assessing security as part of a purchasing decision, leveraging the work others have done, such as the Mayo Clinic, which has shared it’s criteria publicly.
- If your staff will continue to work from home, create clear expectations and requirements for remote work security. In particular, try to leverage technology (such as VPN, encryption, authentication defaults) as opposed to process/human interventions. This will enable continued secure work with limited interruption.
- Leverage healthcare security experts who can help make recommendations and understand the complexity of this ecosystem.
Cybersecurity ROI
Each year, healthcare organizations collect, store, and share more patient data than they did the year before — the result of connected medical devices, clinician mobility tools, and emerging Internet of Things use cases. More data means more potential jackpots for hackers, whose attack methods continue to evolve.
In 2020, a cyberattack forced Düsseldorf University Hospital to divert a patient to another facility, with the patient not surviving the delay in receiving care. While the criminal investigation concluded the patient most likely would not have survived, we must remember the impact ransomware attacks and data breaches can have in healthcare is severe.
Cybersecurity initiatives are also costly. Every dollar and hour spent on protecting data must come from some department's budget. By identifying and implementing solutions that are both effective and efficient, hospitals can keep patient data safe without bursting IT budgets.
Cybersecurity is often presented as a problem to be fixed to allow growth and profits to take place uninterrupted. In truth, cybersecurity is fluid, is an enabler, and an adept partner to healthcare’s most ingenious innovations. In today’s complex global supply chains, with its aggressive and evolving threat landscape, healthcare must change and employ proactive cyber strategies.
Contact Vidya at: [email protected]