Building a system of value-based healthcare relies on meeting an organization’s data needs. In fact, data is indeed healthcare’s most valuable resource – and arguably the world’s as well. The current healthcare system is comprised of digital information; from electronic medical records to billing data to analytics to disease registries to administrative data and beyond, clinical, operational, and financial outcomes of healthcare depend on data. That makes healthcare systems notorious targets for cyber threats.
As technologies evolve, such as AI and predictive health models, data will become even more of an asset. Consumer health data is something that drives collaborative mergers and is used for research and new product development. It is critical that data is protected to preserve how organizations function and grow.
Cybersecurity 101
The science of protecting electronic systems and information from threats is a rapidly evolving field. Cybersecurity has 3 broad goals: protecting the confidentiality, integrity, and availability of information. Each of these three areas has many sub-areas and niches that healthcare information technology (HIT) experts focus on. The average hospital system IT service desk is responsible for 278 systems. The lower 25% of hospitals report 208 systems. That is a lot of disparate data to maintain securely, especially considering it comes with different configurations and security needs. These commonly found systems include:
- electronic health records
- e-prescribing system
- PACS (radiology) system
- IV infusion pumps
- vital signs machines
- surgical equipment
- refrigeration systems
- smart HVAC systems
- telehealth systems
- cardiac monitoring
Recognizing and preventing cyber threats
Malicious phishing attacks, ransomware, and malware and their impacts on healthcare continue to be on the rise. Phishing emails are particularly common (and highly effective), as they fool the email recipient into clicking on a link that discloses sensitive information. Ransomware attacks usually work by infecting a system and encrypting it, thus denying access to users. The data is essentially held hostage and a demand is made for payment to release it.
According to the 2021 IBM Security Report, the average total cost of a ransomware breach in the U.S. is now up to $4.62 million. These costs are spread across 4 cost centers:
- detection and escalation
- lost business
- notification
- post-breach response
Breaches examined for this study ranged from between 2,000 and 101,000 compromised records. Newsworthy large security breaches by businesses, restaurants, credit card companies, etc. are well-known with ransomware and destructive attacks costing more than other types of breaches. However, the study shows that healthcare breaches are even more expensive. It notes that for 11 consecutive years, healthcare has “had the highest industry cost of a breach.”
Costs can come in non-monetary forms as well. In 2020, a German woman died in what is being called the first fatality from a ransomware attack. Cyber criminals hit a hospital in Düsseldorf, Germany, and encrypted patient data, holding it hostage until payment was made. The ransomware hit 30 servers at the hospital, forcing the hospital to reject emergency patients as systems crashed. Because of this, one woman suffered treatment delays as she was moved to a neighboring hospital, resulting in her death. Criminals know that hospitals can’t afford downtime – and are likely to pay quickly.
Assessing cyber threat prevention and budgeting
The 2021 IBM report reveals that 2020 was the costliest year yet for healthcare data breaches; however, cybersecurity spending is lower in the healthcare sector than any other industry. The average healthcare system spends approximately 4% – 7% of its budget on cybersecurity compared to about 15% for other sectors such as the financial industry. The rapid growth of new technology without similar investment in cybersecurity effectively increases the surface area of threat vulnerability without increasing protective measures.
So how should healthcare organizations decide how much is enough? And how specifically should they invest in cyber threat prevention, monitoring, and protection measures? That must begin with identifying and prioritizing such events and then partnering with experts who take a strategic approach in driving IT intelligence in healthcare.
Growing an impactful HIT team
HIT professionals can conduct a security risk analysis, allowing healthcare executives and HIT leaders to build a strategy that fits an organization’s needs and adheres to best practices in cyber protection. Having such experts in place means having a strong line of defense against cyber incidents and their impact.
HIT teams can:
- assess the organizational cybersecurity risk
- recommend the right technology solutions for maximum impact
- analyze what responses would look like in different scenarios
- empower organizations to make informed and connected decisions
Cybersecurity compliance failures can undoubtedly cost healthcare organizations millions of dollars per breach. Investing in tenured HIT consultants can kick-start a higher level of security for existing and future data investments as healthcare organizations pave the way toward optimized patient care and successful digital transformation, interoperability and data utilization.
The healthcare industry has access to and authors more mission critical data than any other industry, and the challenge to provide a better patient journey and positive healthcare outcomes are ever increasing.
Secure your invite to our HIT virtual events for insight on securing your data investments and maintaining successful protection, interoperability, and data utilization.
