The upcoming year will see the most catastrophic attack against a healthcare delivery organization (HDO) to date—and that isn’t all that bold of a prediction. Healthcare systems remain top targets for hackers, drawn by the potential jackpot of breaching systems with sensitive personal data and carrying out subsequent identity theft or ransomware attacks. Combine that with underfunded security budgets and challenges unique to healthcare security, and HDOs will remain soft targets.
One of the largest-yet attacks on an HDO occurred just weeks ago when CommonSpirit Health, a chain including 140 hospitals and more than 1,000 care sites, experienced an incident that caused system shutdowns, ambulance diversions, and other disruptions. Escalating cyberattack trends make it all but a sure thing that 2023 will surpass this past year in average data breach cost, and include a singular attack of unprecedented severity.
In shifting away from this dire status quo we must understand why HDOs remain so particularly vulnerable to attacks. The Top 5 reasons include:
- Extreme resource constraints limit healthcare IT security.
Inadequate budget commitments are the clear number-one issue keeping HDOs from achieving more effective cybersecurity protections. A BreachQuest study finds HDOs spend just 4-7% of their IT budgets on cybersecurity. In recent years, the impacts of the COVID pandemic hampered HDO budgets with significant investments in digital transformation and telehealth initiatives, further contributing to IT security budget woes. And it's not just security technology itself that needs proper budget. HDOs also must ensure they have sufficient internal staffing – or managed services – to deploy and manage it.
- Attackers are highly incentivized to target sensitive patient data for theft or ransom. HDOs are then incentivized to give in to their demands.
Sensitive data representing the most private and exploitable patient information is essential to healthcare delivery. That same data entices identity thieves and ransomware attackers who know full well that HDOs can’t afford system downtime. This assessment that HDOs are easy money has been borne out by observed behavior: 61% of HDOs hit by ransomware in 2021 opted to pay the ransom. However, it’s hard to judge HDOs for making those decisions given the literal life-and-death stakes they face.
- Traditional cybersecurity best practices aren’t always congruent with HDO priorities.
In most industries, IT security teams have free rein in securing their environments—from removing devices with security flaws to implementing security scanning and utilizing traditional generic network and IoT security strategies. However, HDOs rightfully prioritize patient outcomes above all else. IT security teams cannot unilaterally remove high-risk Internet-of-Medical-Things (IoMT) devices, but must confer with clinical practitioners and ultimately follow their decisions. If those practitioners recognize a device’s vital impact on patient health or the patient experience, IT security teams must work around known security flaws as best they can. HDOs can also suffer when internal IT and healthcare technology management teams have vague ownership roles, making it unclear who should field the ball in a timely security crisis.
- Tight healthcare regulations slow internal HDO processes, while loose IoMT device manufacturing regulations leave HDOs to secure systems themselves.
Healthcare is a heavily regulated industry, requiring HDOs to ensure their technologies and practices comply with HIPAA and other pertinent regulatory compliance frameworks. This presents two issues. First, internal bureaucratic processes intended to “dot every i” in adhering to regulations make for a slow evolution in security capabilities. Second, HDOs tend to view security from a compliance perspective when they should maintain a broader viewpoint: an HDO can stay compliant without being that secure.
At the same time, the U.S. government recently came close—but failed—to enact security requirements for medical device manufacturers that would have made them responsible for pre-market cybersecurity assessments and transparent vulnerability insights. Without those requirements, HDOs must continue to make their own way in discovering and addressing device security flaws.
- HDO modernization and adopting more IoMT devices and internet-connected endpoints offer an expanding attack surface.
HDOs continually adopt new devices and systems in pursuit of more effective and modernized care. The result has caused extensive IoMT inventories and a device churn rate of 15% per year that’s unparalleled in other industries. That activity inevitably creates security challenges, as teams work to protect vast device fleets and learn the security profiles of new solutions. Worse, many IoMT devices are far more vulnerable than those in other industries because they don’t receive patches with the same frequency, and are also more expensive and difficult to replace.
While HDOs face a steep challenge in changing their fate in the face of increasing attacks and data breach expenses and dangers, a clear understanding of what they’re up against can help set a new path. By expanding IT security budgets, building best practices unique to HDO needs, and narrowly targeting the true risks to IoMT devices, HDOs can begin to reverse recent trends and leave record-setting attacks in the past.
Shankar Somasundaram, chief executive officer, Asimily
