By Richard Staynings, Chief Security Strategist at Cylera
Looking at recent healthcare cybersecurity statistics, it’s evident that the healthcare industry is facing a concerning IoT security crisis. Healthcare data breaches have doubled in the last three years while ransomware attacks are increasing in speed and scale, with reports claiming that one single HPH (Healthcare and Public Health) breach costs over $110 million. These alarming figures reinforce the urgent need to improve security measures in the sector.
Healthcare is a prime target for cybercriminals because of the highly valuable, sensitive data they store, the critical need to keep operations running and the fact most are under-resourced and overwhelmed. All of this leaves them particularly vulnerable to attack. The industry is up against significant challenges to stay secure online, which is putting patient care and data in the firing line. So, what exactly are these challenges and why is healthcare cybersecurity more crucial than ever?
Third-party risk
Healthcare organizations frequently depend on external vendors to fulfil various functions, such as data storage and processing or maintenance of complex medical equipment. These suppliers may not maintain cybersecurity standards equivalency to those of the healthcare entity they serve, and may inadvertently introduce risk to a provider organization’s security infrastructure.
It is imperative for healthcare organizations to establish adequate controls and comprehensive cybersecurity protocols to shield against third-party cyberthreats. This involves educating staff and third parties on the identification of and appropriate response to cyber perils, routinely upgrading software and systems, conducting frequent vulnerability evaluations, and enforcing access controls and monitoring systems. By proactively addressing these risks, healthcare institutions can safeguard patient health information (PHI) and reinforce the robustness of their systems, thereby ensuring consistent, high levels of patient care.
Patient health records and ransomware
Providers of healthcare have a legal responsibility to safeguard the medical and personal information of patients, much of which is now digitally stored either on-site or in the cloud. Unfortunately, the valuable nature of this data and the critical role of the healthcare sector make it an attractive target for cyber attackers, particularly ransomware groups.
The Data Breach Investigations Report (DBIR) 2023 revealed 525 cybersecurity incidents in the healthcare sector alone within the last year, with 436 confirmed data breaches.
Having total visibility of all devices on your network is therefore an essential line of defence as you can’t protect what you can’t see. Having a consolidated view of multiple assets across multiple sites also means you can effectively manage third-party risk (vendor risk) as reliable device data will help validate vendor adherence to SLAs and agreements, as well as identify opportunities to alter service level agreements to match actual device utilization or vendor engagement. A centralized view of device compliance which feeds into the right team and tool, as needed, will help with overall improved governance and accountability.
The cost of an attack
Don't miss out on any breaking news or insightful opinions!
Subscribe to our free newsletter and stay updated on the go!
By submitting this form, you are consenting to receive marketing emails from: Global Banking & Finance Review. You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email.
An average data breach in the healthcare sector carries a price tag of $10.1 million USD, eclipsing costs in other industries. Nevertheless, not all of these expenses stem directly from responding to the breach. Healthcare cybersecurity incidents also incur numerous additional costs, including harm to reputation and the delays to crucial patient care, some of which are hard to quantify in monetary terms.
In 2021, Scripps Health, a non-profit healthcare provider based in California, fell victim to a ransomware attack, resulting in a staggering $112.7 million USD in expenses within a mere three-month period. Of this total, only $20 million USD was allocated for addressing the incident and facilitating recovery, with the remaining $90+ million USD arising from lost revenue. Scripps also faces a number of class action and other suits from its patients who were denied services during the provider outage. Aside from the direct impact, the Scripps outage also put staggering pressure on other healthcare providers in the area which were forced to pick up a huge additional patient load.
For any healthcare organization, these costs can be crippling. Holding cybersecurity insurance is a critical part of any cyber defence plan, but it is no substitute for good upfront security including well practiced business continuity and disaster recovery and security incident response plans. These need to be regularly practiced and reviewed as your IT infrastructure and environment evolves. However, having a proactive cybersecurity strategy in place where IT teams have deep visibility of their networks and real time data to detect and respond to threats, is essential because, as the saying goes, ‘prevention is better than cure.’
Lack of risk mitigation
Healthcare organizations must comply with numerous data privacy regulations and standards due to the volume of sensitive information and personal data they hold on patients. These regulations include:
- The General Data Privacy Regulation (GDPR)
- The Personal Information Protection and Electronic Documents Act (PIPEDA)
- The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Various local and national breach notification rules Inadequate cyber defence systems significantly contribute to successful breaches, exposing organizations to the risk of subsequent attacks and legal proceedings.
The best way to protect your organization from a data breach is starting with your first line of defence – your staff. Cybersecurity compliance training will teach teams best practices and protocols to protecting sensitive information and ways to adhere to current as well as potential future regulations to ensure that your organization stays one step ahead.
With cyber threats on the rise and healthcare organizations at risk of hefty penalties for inadequate protection should a data breach occur, it’s never been more important for healthcare organizations to also prioritize the implementation of intelligent cybersecurity solutions. A solution that ensures compliance, protects patients and speeds up risk resolution is key; only then can you feel reassured that you have done everything possible to protect the organization.
In addition to safeguarding sensitive patient data and ensuring regulatory compliance, intelligent cybersecurity solutions can also enhance operational efficiency within healthcare organizations. By automating security processes and leveraging advanced threat detection and response mechanisms, these solutions not only mitigate risks but also reduce the burden on IT teams, allowing them to focus on other critical aspects of healthcare IT infrastructure. This improved efficiency can result in cost savings, better resource allocation, and ultimately,a more secure and resilient healthcare environment. In today’s digital age, the holistic integration of intelligent cybersecurity measures is not just a choice but a necessity for healthcare organizations to thrive in a rapidly evolving threat landscape.