Cybersecurity is make or break for patient safety and operational integrity.
It’s been a turbulent year in healthcare.
Disruptions, such as the Change Healthcare ransomware attack and CrowdStrike IT outages, have underscored healthcare's vulnerabilities and shown us how events like these can have crippling effects on healthcare operations and put patients in harm's way. As we look toward the future, we must come together as an industry to fix weak spots and protect our organizations.
An American Hospital Association survey found 94% of U.S. healthcare providers were impacted by the Change Healthcare ransomware attack, a grim statistic illustrating how cyber criminals can quickly cripple an entire industry. While CrowdStrike was not a direct security incident, it also highlighted our sector's vulnerabilities and the need for healthcare to have true business continuity and resilience plans.
Incidents like this are no longer just an IT problem. The entire industry needs to protect healthcare operations and patient safety from the devastating impacts of these disruptions. A multi-layered approach to prioritizing and investing in cybersecurity and IT resilience is crucial to safeguarding patient safety, privacy, and operational integrity.
Here are a few areas where healthcare organizations can focus their efforts and resources.
The need for a unified approach
Cyber threats will only continue to grow. We are on pace to set a new record for the number of security incidents in healthcare. Nearly 400 data breaches occurred in the first half of the year and threats will continue to rise as bad actors target weak legacy systems and exploit third-party vulnerabilities, taking advantage of emerging technologies for their own benefit.
Generative AI, for example, is a double-edged sword. While it can enhance our operational and security efforts, cybercriminals are also using it to accelerate their attacks, and we need to stay vigilant.
Our industry needs a unified approach against cyber criminals to effectively manage the emerging threat landscape and prevent disruptions. This will require stakeholders across the entire ecosystem—healthcare providers, payers, vendors, and government—to come together. It's not about one organization against another; it's about sharing resources and fighting a common enemy.
Cybersecurity incidents and lapses aren't opportunities to get a leg up on your competitors. As these events are becoming inevitable, we should all come together in these moments of need and do everything in our collective power to help. Healthcare organizations need trusted partners, not just vendors, as we brave these issues together.
We’re all in this together. Collaboration will help us safeguard our systems faster, improve incident response and disaster recovery, and ensure operations return online as fast as possible so healthcare workers can refocus on patient care and outcomes.
Security by design
Healthcare is the costliest industry for cyberattacks, with an average data breach costing nearly $10 million, according to IBM's 2024 Cost of a Data Breach Report. Financial services, which came in second, face data breaches costing $6 million—nearly $4 million less than healthcare.
As the threat landscape evolves, so must our strategies for protecting our systems. Security by design is no longer an option; it is a necessity to maintain business operations and continuity.
Embedding security measures from the beginning of development to implementation, rather than as an afterthought, is critical. Vendors should deliver secure solutions by default, including having built-in basic and advanced security protocols like multifactor authentication pre-configured.
The importance of business continuity is also exemplified in these scenarios by the ransomware attack affecting blood donation center OneBlood. The attack is limiting operations and disrupting normal distribution, but the nonprofit immediately implemented a backup plan to continue delivering essential services and enlisting the help of local hospitals until their operations return to normal.
By taking a unified approach like this, stakeholders can support or share resources with hospitals and health systems, allowing us to address vulnerabilities in outdated technology, legacy systems, or medical devices to nullify potential threats. Technology vendors and third-party supply chain partners must also work together on these issues as cybersecurity has become a non-negotiable part of the RFP process for healthcare providers.
Strategic prioritization
As mentioned earlier, cybersecurity is no longer just an IT issue. The CEO and board of directors play equal parts in the ownership of security risks and protective measures.
With cyberattacks happening with greater frequency, preparation requires knowing your business inside out and understanding the different levels of impact across your organization. What systems are critical to patient safety? What systems can you live without for a day?
CEOs and boards are responsible for setting the culture and tone for how your organization prioritizes the management and response to these risks. Regular cyber risk assessments, incident response plans, and business impact analyses are crucial for business continuity.
This can help prioritize resources to safeguard the mission-critical systems for patient care and operations. Having contingency plans in place if systems are offline for more than a few hours ensures your organization is prepared, even if it takes days or weeks to come back online.
While the last few months have shown us the devastating impact that ransomware and data breaches can have on healthcare, we must remember that we are on a journey that will only get more challenging before it gets easier.
We all have a responsibility to protect our patients and I’m pleased to see the healthcare industry is taking these issues more seriously than ever before. It’s evident in their increasing investments and I encourage more continued collaborations and unified approaches to solutions going forward.
Saeed Valian is the chief information security officer of symplr
Coming Monday: Chief Healthcare Executive® presents the final installment of our panel discussion on cybersecurity in hospitals and health systems. Our experts offer advice for healthcare organizations to improve their security.