Why hospitals need better cyber hygiene

Cyber attacks within the healthcare sector rose a staggering 55% in 2020. The average cost to recover patient records jumped 16% over the past year.

Hospitals and other institutions are allocating more resources on both defense and offense against these increasingly severe and targeted attacks. 

Healthcare providers are prime targets for cyberattacks because they handle personal data that is attractive and lucrative for bad actors, with cyber criminals can earn up to $1,000 per stolen medical record.

Furrther, organisations became more susceptible to successful phishing schemes as a result of strained resources and stretched capacity throughout the COVID-19 pandemic. All it takes is for one tired employee to let their guard down and inadvertently click on a suspicious link to bring operations to a standstill.

The industry’s defense mechanisms and ability to identify and mitigate cyberattacks also lag behind other sectors. Healthcare organisations take an average of 236 days to detect a data breach and 93 days for containment, compared to 207 days and 73 days for peers in other industries.

Telehealth services and the rapid adoption of advanced medical devices directly improve patient care and outcomes but expand hackers’ entry points into organisations’ networks. These industry dynamics are creating a perfect storm of healthcare cybersecurity risks at a time when we most need the system to be up and running.

Impact on patient safety and beyond

Cyber attacks have far more serious implications in the healthcare sector given a hacker’s ability to physically harm patients. Emergency and operating rooms could shut down during an attack, preventing patients from receiving urgent care.

Disruptions to medical supply chains could impact providers’ ability to administer critical medications. Hackers could tamper with patient records and lab results, which could lead to misdiagnosis or inadequate treatment.

Outside of clinical outcomes, breaches impact patient trust, with more than a third (37%) of healthcare organisations feeling their reputation suffered after an attack.

A 2016 survey found half of Americans wouldn’t return to a provider if it was subject to a security breach. More recently, 48% stated they would not return to telehealth services after a cyberattack.

Breaches are also becoming costlier for organisations to manage, which impacts financials. The average cost of a healthcare data breach is now $9.42m. Cyber insurance premiums have also jumped – by an average of 18% in just the first quarter of 2021.

Fortify your organisation against security threats

There are several strategic areas in which to focus on cybersecurity risk management investments to strengthen your infrastructure against future attacks. Here are three moves you can make now to boost protection against cyber-risk events:

1. Check your vendors

Fifty-one percent of businesses have suffered a data breach caused by a third party. While vendors and partners are critical to the success of organisations, they also pose considerable security threats.

Send customised questionnaires to each vendor to collect data on their agreements, access credentials, security practices, and more. Supplement this information with external data feeds to get a 360-degree view of exposure across your third-party relationships.

Classify each vendor based on risk level and re-assess high-risk partners with access to sensitive information frequently. Monitor your partners to catch any changes to their ability to meet obligations and track outstanding security issues and their resolution. Put a continuity plan in place in the event of an attack.

Software is invaluable for supporting these core processes. Yet, a surprisingly high number of organisations still manage third parties using spreadsheets. Consider an investment in technology to get a deep understanding of the cyber health of your third parties and enhance your ability to identify and mitigate threats.

2. Focus on your people

There is a human element to cybersecurity that is often overlooked. While data encryption, two factor authentication, and software updates will always be critical components, it’s also important to build the needs of your people into your strategy.

It’s not uncommon for medical personnel, who are zeroed in on patient outcomes, to skip over key security protocols to deliver quick care if they don’t understand the correlation.

Employee education on cyber risk and the direct impact to patient safety only goes so far. There’s an incredible opportunity to make staff’s jobs more efficient so they don’t have to choose between delivering great patient care or prioritising cybersecurity.

Automate patient reporting processes, rounding practices, root cause analysis, and more so that key workflows and collaboration tasks can be completed in just a few clicks and in adherence to security standards.

3. Centralise critical information

Healthcare consolidation is on the rise and mergers often create a mishmash of information for healthcare organisations. Critical business data often stays fragmented as various systems, processes, and technologies are brought together.

Disparate data is dangerous because it creates a fragmented view of cyber-risk exposure. Cyber threats are tied to events that happen elsewhere in the business. A supplier policy that sets insufficient obligations and expectations around cybersecurity, for example, could leave the organisation vulnerable to a data breach.

It’s impossible to identify this interconnectivity of cyber risk without a single source of truth.

Consolidate your data from siloed applications into a central system that surfaces and analyses key risk information. You’ll be much better equipped to identify how particular risks in other departments and business processes could increase the likelihood and severity of a cyber-risk event.

A secure tomorrow starts today

Healthcare organisations simply can’t afford the operational disruption and patient safety risks that a cyberattack poses. This is especially true as hospitals and institutions continue to grapple with capacity constraints as Delta and other COVID variants continue to emerge.

Make strategic investments in technology and infrastructure now to avoid significant disruption down the road.

Jim Wetekamp is the CEO of Riskonnect and a recognised expert on enterprise risk, supply chain, and third-party risk management.