Organizations move on plans to strengthen security policies, increase training, invest in technology

The COVID-19 pandemic highlighted serious vulnerabilities in the handling and processing of healthcare data, according to a report conducted by CRA Business Intelligence and underwritten by Infoblox. The full report can be found here.  

With employees forced to work from home, healthcare security, compliance and risk executives were required to identify ways to handle and process protected health information (PHI) that was moved off protected networks within hospitals, clinics, medical centers and offices. 

These conditions — in combination with the rising value to hackers of PHI and increasing regulatory penalties — will drive 80% of health care organizations to increase IT security spending this year, on the heels of a similar increase in 2020, according to the report.  

The report is based on a study of 790 senior-level IT professionals in the healthcare industry, conducted in October and November 2020. Nearly all respondents (91%) are significant or final decision-makers for cybersecurity budgets and operations in their organizations, located in the United States, Latin America, Europe and the Asia/Pacific region, and having 1,000+ employees. 

More than half of the respondents (55%) estimated that their upcoming, one-year investment to prevent data breaches and network outages will be $2 million or more. To put that investment in perspective, the average data breach cost health care organization respondents who experienced at least one data breach in the past year — some 43% of all respondents — $2 million or more for recovery costs alone from a single data breach event, and 34% spent $2 million or more from a single network outage event. Essentially, that means the cost of recovering from one incident is roughly the same for preventing similar events for an entire year.  

In early 2021, the consequences of data breaches and network outages are expected to be especially detrimental for health care organizations struggling to get back on track — operationally and financially — in the wake of the pandemic. 

Attackers in health care capitalize on multiple vulnerabilities  

One major challenge for health care is the variety of threats that jeopardize IT security. Globally, respondents are evenly split in identifying their top threat as cloud vulnerabilities and misconfigurations (18%), attacks to manipulate data/statistics (18%) and Internet of Things (IoT) attacks (18%), with IoT attacks as the top threat in the U.S. (29%).  

When PHI is the target, attackers have multiple ways to monetize these assets, which the dark web values at $1,000 compared to $5 for a credit card number, according to Experian.  

In addition, the potential conduits to capture such data can be sprawling, from employee error to the transmission of medical transcription over an insecure connection. Expanded use of IoT devices and the high value of intellectual property pose additional vulnerabilities. 

“We have seen a drastic increase in cyber threats from the past seven to eight months,” one U.S. respondent said. “Considering the firm is continuously working toward creating new medicines, we have seen an immense number of malicious activities to steal IP, data and customer information.” 

IT leaders cite wide-ranging outcomes of breaches and outages 

The consequences of an attack are not limited to data loss, of course. Network outages are often just as expensive as breaches: One-third of all respondents said the average financial loss from an outage was more than $2 million.  

Network outages also impose business disruptions that carry direct and indirect costs. Globally, 52% of respondents said the biggest impact would be the loss of data or IP, with 49% citing operational disruptions and 41% citing customer breach notifications.  

For respondents, these translate to serious immediate and long-term effects, including work stoppages in key areas of data analytics and reporting, valuable time lost waiting for system recovery and loss of clients.  

Health care security investments focus on proactive threat detection

As health care organizations adapt to not only the pandemic but shifting work patterns more generally, they must adapt risk mitigation strategies. As one respondent noted, “An increasing number of health care providers are using mobile devices at work. Encryption and other protective measures are critical to ensure that any information on these devices is secure.” 

In seeking to be more proactive with security, 78% of respondents globally said network monitoring has been their most effective mitigation tactic, followed by threat intelligence (61%) and threat hunting (55%). 

Most organizations plan to invest in additional security solutions and strategies this year, with 44% of respondents estimating that these will cost up to $2 million, 34% planning to spend between $2 million and $5 million, and 21% planning to spend more than $5 million. 

For many health care organizations, these investments will be more cost effective than failing to aggressively prevent a data breach or network outage. 

“Ultimately, protecting health data is not unlike protecting any other type of data,” the report notes. “The key difference is the massive fines and penalties associated with organizations where PHI is compromised.” 

For more information on how you can partner with CRA Business Intelligence, please contact Dave Kaye, Chief Revenue Officer.