Health systems should look at cybersecurity as more than an expense. Improving cybersecurity can strengthen the brand and open new business possibilities.
Orlando, Florida – Even before the Change Healthcare cyberattack, which has emerged as the most damaging breach in healthcare to date, hospitals and health systems have had plenty of reasons to place cybersecurity at the top of the list of priorities.
Cybersecurity threatens the safety of patients and the financial strength of organizations, as the Change Healthcare attack has vividly illustrated. But ransomware attacks on hospitals have been rising for years.
Ransomware attacks have risen by 264% over the past five years, according to the U.S. Department of Health & Human Services. More than 134 million Americans were affected by healthcare cyberattacks in 2023, a 141% increase over the previous year.
Hospitals should look at the potential threats of ransomware attacks, but they also need to take a different view of cybersecurity, said Steve Cagle, CEO of Clearwater, a cybersecurity firm.
“Cybersecurity is part of the business strategy,” Cagle said. “It's not an IT issue. It's not a cost center. It is something that can propel your business forward.”
With investments in cybersecurity, health systems could lower their insurance costs, Cagle said. They also could find it easier to strike deals and form partnerships with other companies if they can show their taking cybersecurity seriously. Cybersecurity experts and government officials have urged hospitals and providers to review their agreements with their vendors and review their preparations and response plans for ransomware attacks.
“We need to think of cybersecurity as a business enabler,” Cagle said. “That's the change in thinking that we need to see.”
Investing more
Hospitals are spending more money on cybersecurity. The average health system is investing 7% of its budget on cybersecurity, up from 6% in recent years, according to the 2023 HIMSS Healthcare Cybersecurity Survey Report.
Hackensack Meridian Health, a New Jersey system operating 18 hospitals, has boosted its cybersecurity spending after a ransomware attack in 2019. Hackensack Meridian expanded its cybersecurity team from seven members in 2020 to 35 employees by 2023; the team also includes a chief information security officer. The health system allocated 6.4% of its budget on cybersecurity in 2023, up from 0.5% in 2020.
Mark Johnson, Hackensack Meridian’s chief information security officer, said the health system’s leaders saw the need to spend more on cybersecurity after enduring the costly breach. During a session at the HIMSS Conference, Johnson explained the shift, saying leaders realized “we can't live like this. We have to change.”
Health leaders need to think about cybersecurity expenses in all of their major initiatives, from acquiring new technology to mergers and acquisitions, Cagle said.
“We hear all the time, ‘We're spending more and more on security,’” Cagle said. “Yes. You're going to keep spending more on security if you want to protect your organization.”
Better but still behind
Blaine Hebert, chief information security officer of Yuma Regional Medical Center, presented with Cagle at the HIMSS Conference. While he sees hospitals making progress in cybersecurity, he says the healthcare sector still lags other sectors.
“I would make an assumption that we're probably a decade behind the banking industry,” Hebert said.
Hebert added that there’s a growing recognition of the dangers of cyberattacks in healthcare. He added that the Change Healthcare cyberattack is going to spur more action from health systems to improve the defenses of their systems.
“Hopefully, there's some good that comes from this Change Healthcare event that has happened, and it's going to stimulate hopefully some redundancies in healthcare,” Hebert said.
Hospitals need to recognize that attackers are able to launch more potent and complex attacks, Cagle said.
“Attacks are becoming much more sophisticated, more frequent, more targeted at healthcare organizations,” Cagle said.
“We need to make sure that we're taking appropriate actions to identify risk, assess risk, implement controls, and that we're doing this across the entire ecosystem because there's systemic risk,” he added.
Hebert discussed the importance of viewing cybersecurity as both a key component in protecting patients and in terms of helping health organizations grow stronger financially.
Hospitals should view cybersecurity “as a value add, and not just a cost center,” Hebert said.
Health systems can build partnerships and improve their reputation with better cybersecurity. Hospitals can use it as a selling point, Hebert suggested.
With more robust cybersecurity plans, hospitals can say, “Our brand is that we’re secure,” Hebert said.
Robert F. Kennedy Jr., Trump’s HHS nominee, criticized as ‘disastrous’ and ‘dangerous’
November 15th 2024Donald Trump wants Kennedy, the outspoken skeptic of vaccines, to lead the U.S. Department of Health & Human Services. Critics say he’s unqualified for the post and could damage public health programs.