The experiences of 2023 have underscored the critical importance of cybersecurity in the healthcare sector. Per HIPAA Journal, “133 million records were exposed or stolen” in 2023. The recent Change Healthcare cyber incident, which is still impacting the healthcare ecosystem, indicates that 2024 could likely be another record-breaking year for healthcare cyberattacks in the U.S.
Ransomware attacks are the fastest growing threat in the U.S. The U.S. Department of Health and Human Services (HHS) and Office of Civil Rights (OCR) identified a 278% increase in cyberattacks involving ransomware from 2018-2022. To clarify, this is just the data breaches that were reported to the OCR.
The fallout from a ransomware attack is comprehensive:
- Loss of personal health data
- Loss of trust by patients, members, customers and partners
- Decrease in employee productivity and morale
- Extensive system downtime
- Legal and regulatory fines
- Steep financial implications, like paying the ransom and the cost to get systems back up and securely running
The global average cost of a data breach in 2023 was $4.45 million, a 15% increase over 3 years.
IBM Cost of a Data Breach Report 2023
The alarming rise in cyber threats – namely ransomware – highlight the urgent need for enhanced cyber resiliency and robust security measures in healthcare. The healthcare sector is predicted to continue its investment in cybersecurity, focusing on resilient data management practices, threat detection, and employee training, while expanding into new technologies (like artificial intelligence) and collaborative efforts.
Here are five ways to reduce your risk and secure personal health information (PHI) from cyberattacks
1. Consistent Data Management Practices
Consistency is key, especially when it comes to basic cyber protection. These five stepping stones are just a start to laying out a consistent cybersecurity plan.
- Create a secure cybersecurity policy – Establish a firm security stance, then periodically review, modify and update policies and procedures in response to environmental or operational changes affecting the security of Electronic PHI.
- Encrypt data – Convert data to ciphertext that can only be read if decrypted
- Backup data – Ensure PHI data are backed up frequently, at least nightly, and stored in a HIPAA-compliant data center
- Update systems and software – Verify information systems are up to date with the latest security patches and diligently check programs for updates.
- Assess and monitor vendors – Ensure that third-party vendors agree to a business associate agreement (BAA) and monitor their activities to be sure they adhere to the policies. Review vendors to ensure compliance on a consistent basis.
2. Detection
As Benjamin Franklin said: “If you fail to plan you are planning to fail.” Detecting and addressing vulnerabilities in advance of an incident is critical to ensuring a strong security posture. The investment in audits and technology improvement almost always outweigh the costs of a ransomware attack.
Implementing a threat detection strategy is critical to identifying and preventing data breaches. Healthcare institutions and security leadership, like the chief information security officer (CISO), are investing more in security infrastructure. Guidehouse’s 2024 report found 85% of respondents’ organizations planned increases to their 2024 digital and IT budgets, with cybersecurity listed as their top investment priority. This demonstrates the industry’s commitment to safeguarding patient data.
By 2026, organizations prioritizing their security investments based on a continuous threat exposure management program will realize a two-thirds reduction in breaches.
Gartner
3. Employee training
To err is human and healthcare employees are no exception. Taking a human-centric approach to organizational security can cultivate shared cybersecurity responsibility, which in turn could dramatically reduce the chances of a data breach, HIPAA violation, and the costs associated with both. Given that social engineering now represents more than 50% of incidents (per Verizon’s DBIR Report 2023), the focus on the human element is pivotal to securing your data.
Adopting this approach can (1) increase awareness of accidental and intentional HIPAA violations, and (2) empower appropriate responses to social engineering. Ultimately staff need to make decisions and take action. However, leadership must engender the organizational identity around shared security responsibility.
Instilling the values of cyber detection and resiliency helps employees feel more invested. If they understand what’s at stake, then they can make quicker decisions and adhere to monotonous, daily security measures, like multi-factor authentication (MFA).
By 2027, 50% of large enterprise chief information security officers (CISOs) will have adopted human-centric security design practices to minimize cybersecurity-induced friction and maximize control adoption.
Gartner
Employers and employees should be aware of the human elements that factor into data breaches, including:
- Stolen credentials – Implement a strong password protocol that eliminates easy to hack passwords or the use of post-it notes with passwords on desks.
- Phishing – Monitor email (and other technology) and train employees to recognize signs of phishing, such as unusual messages from leadership or HR, and clicking on links or attachments from unknown sources.
- Error and Misdelivery – Ensure employees review the recipient of all of their communications so they don’t send PHI or other data to the incorrect audience.
One place to start: Conduct regular employee training.
Healthcare organizations can use a wide range of training programs and courses to keep employees up-to-speed on the latest security best practices. Updated approaches will mitigate insecure employee behaviors and tackle outstanding cybersecurity risks.
Security leaders should continue to review vendors and software to ensure they meet all requirements (such as HIPAA regulations) to effectively evaluate and educate staff, and reduce overall risk.For small and medium sized employers who have limited resources, HHS is providing free cybersecurity training courses for their staff.
4. Artificial Intelligence (A.I.)
Like nearly every other sector, the healthcare vertical is actively exploring and investing in A.I. Specifically, how it can improve data security. In fact, 73% of CIOs said they’re increasing investments into A.I. and Machine Learning (ML) (Per Gartner, 2024 Gartner CIO and Technology Executive Survey).
A.I. solutions present vast opportunities for automation: from visualization of networks, to identifying vulnerabilities at scale, to detecting suspicious behavior. Furthermore, machine learning models and A.I.-driven security can aggregate knowledge from previous experiences (in your own system and broader ecosystems) to predict and quickly respond to abnormalities. This knowledge can accelerate cyber defense within an organization and empower health systems to take proactive, automated measures to protect its network.
Before considering A.I. or another new technology, healthcare companies should continue to focus on shoring up foundational security technologies. This includes firewalls, encryption, and MFA.
5. Collaboration
One entity cannot secure everyone. Healthcare is built on interoperability. The strength of every single bond can determine the success or failure of our ecosystem. Hospitals, payers, providers, third-party vendors, and government entities must work together to ensure our security against cyber attacks.
Collaboration between healthcare institutions is anticipated to increase. While the use of disparate systems creates barriers to collaboration, the focus on standardization and interoperability can develop a more holistic, resolute system. By sharing knowledge and resources, we can collectively strengthen our defenses against cyber threats.
The U.S. Government continues to put cybersecurity in the healthcare industry at the forefront, instituting policies in the National Cybersecurity Strategy that will address cyber threats. Learn more about the HHS and the National Cybersecurity Strategy here.
In Conclusion
Early investments in consistent practices, detection, employee education, new technologies and collaboration can ensure a strong security posture that offsets potential costs of recovery and crises of confidence caused by a data breach. The lessons learned from 2023 have made it clear that cybersecurity is not just an IT issue, but a patient safety issue. As we move into the future, it is critical that the healthcare sector continues to prioritize and invest in cybersecurity measures to safeguard patient data and ensure the seamless delivery of healthcare services.
