Cybersecurity is a big topic at the conference, and in the healthcare industry. In an interview with Chief Healthcare Executive, Rafee says providers have a lot of work to do.
Nashville - Health systems and hospitals are still lagging behind other industries when it comes to cybersecurity.
Salwa Rafee, global managing director of Accenture Security, is moderating a panel on cybersecurity at the ViVE Conference. In a conversation with Chief Healthcare Executive® Sunday evening, she spoke about the challenges health systems are facing in terms of defending against cyberattacks.
When it comes to cybersecurity, Rafee says, “The healthcare providers in particular have a long way to go.”
“We as an industry are lagging behind.”
(See part of our conversation with Salwa Rafee at ViVE. The story continues below.)
Hospitals suffer financially in cyberattacks, and they also endure lasting damage to their brand. Most importantly, Rafee emphasizes that health systems and hospitals need to look at cybersecurity as a key initiative to protect patients.
“Healthcare cybersecurity is patient safety,” Rafee says. “Period.”
A cyberattack “doesn’t just exploit the hospital system,” she adds. “It doesn’t just ruin the reputation. It doesn’t only stop the revenue. It comes with huge compliance mandates and fines, lawsuits from the patients, and the most important thing is the patient safety.”
If medical records are compromised, it could have deadly consequences to patients, she adds.
“Imagine if somebody ruins your diagnosis, or ruins your treatment plan,” Rafee says. “This has fatal impact.”
Health systems are starting to pay greater attention to the impact of cyberattacks as a threat to patient safety. Nearly half (45%) of healthcare IT professionals reported complications from medical procedures due to ransomware attacks, up from 36% in 2021, according to a survey from the Ponemon Institute.
Health systems trail the financial sector in cybersecurity, and Rafee says financial companies are typically investing more in that area. While financial firms may invest as much as 20% of their information technology budgets on cybersecurity, health systems typically invest 3%-5%.
The FBI released a report on cybersecurity last week and noted that the health sector generated more reports of ransomware attacks than any other critical infrastructure sector last year. The FBI received 210 reports of ransomware attacks from the health sector in 2022, more than twice as many as in the financial services sector (88).
Health systems should do a better job of sharing threat intelligence with community hospitals “that need to collaborate with the bigger hospitals,” Rafee says.
Nearly 50 million Americans were affected by a data breach of health information in 2022, according to an analysis by Critical Insight, a cybersecurity company.
Cybersecurity threats have proliferated over the last few years even as health systems have had to devote so many resources – in both money and manpower – to the COVID-19 pandemic. Undoubtedly, the pandemic diverted attention from efforts to prepare for cyberattacks.
“It played a very negative part when it came to cybersecurity,” Rafee says. “It was a setback, exponentially. And the hackers took advantage of the situation.”
Health systems have struggled to recruit and retain nurses, physicians, and other key workers over the last couple of years. And they are also having trouble finding IT personnel with cybersecurity experience, she says.
“They cannot find security talent,” Rafee says.
Cybersecurity experts say health systems remain a tempting target for ransomware groups because in many cases, hospitals have shown they will pay the money to get access to their systems and treat patients.
Plus, private health information is highly coveted on the dark web, Rafee notes.
Health systems can go a long way in bolstering their defenses by exercising basic cyber hygiene, Rafee says. She adds that could eliminate 60% to 70% of the biggest attacks on their systems.
Smaller hospitals should look to partner with other systems on cybersecurity efforts.
While many health systems are doing as much as they can, Rafee says some hospitals are buying tools – dozens of solutions in some cases – that aren’t integrated or fully utilized.
Hospitals are also vulnerable to cyber criminals who are gaining access through their vendors, and since health systems interact with hundreds of different companies, there are plenty of other potential targets for bad actors.
“It’s not just third-party risk,” Rafee says. “It’s fourth-party and sometimes fifth-party risk.”
The vulnerability of medical devices to cyberattacks is a “huge problem,” she says.
Another issue: some workers have more access to sensitive data than needed. As an example, someone moves up to a position that no longer involves direct patient care, but still retains access to patient data.
Rafee cautions that there’s really no such thing as mission accomplished when it comes to cybersecurity. In the face of evolving threats, health systems need to view cybersecurity as a journey.
“It’s an ongoing practice and effort,” Rafee says.