Why Strong Cybersecurity is a Must-Have for Hospitals and Health Systems Now
More than a year ago, we wrote about the increased need for better cybersecurity in the healthcare sector. What a difference a year makes. Hospitals are particularly vulnerable right now as they struggle to provide patient care during the course of COVID-19, with many of them turning to digital healthcare initiatives from telehealth and telemedicine to remote monitoring and telework—for the very first time.
John Rigi, senior advisor for cybersecurity and risk at the American Hospital Association, succinctly put everything into perspective. He recently testified at a Senate hearing on cyber threats amid the pandemic and described how it has led to a “cyber triple threat for hospitals and health systems: an expanded attack surface due to rapidly expanded network- and internet connected technologies and services; increased cyberattacks of all types; and fewer available resources to bolster cybersecurity defenses.”
To date, the healthcare industry has never experienced these levels of expansion and/or new deployments of network- and internet-connected technologies and services. Unfortunately, hospitals and health systems often overlooked the necessary security protocols because they were laser-focused on rapid technology implementations in order to minimize interruptions in patient care.
Healthcare Security Fast Facts
In October, the FBI warned of “increased and imminent cyber threats” to hospitals, potentially coming from foreign groups targeting hundreds of health systems with ransomware. When you consider some of the industry’s sobering security statistics, it’s easy to see why cyber criminals consider healthcare organizations prime targets:
- 70 percent of healthcare organizations reported a significant security event in the last year;
- Nearly one in five of these organizations said security incidents disrupted or damaged systems and devices;
- Only 50 percent of healthcare organizations are conducting comprehensive
end-to-end security risk assessments; and
- These organizations dedicate only 6 percent or less of their IT budgets to
Telehealth Fuels Interest from Cyber Criminals
Telehealth has been around since the 1950s, but it was not until the pandemic hit that it became so extensively used and accepted. Physicians and other health professionals are now seeing 50 to 175 times the number of patients via telehealth than they didbefore the pandemic. However, telehealth has become one of the biggest threats to healthcare cybersecurity.
The hurried pace at which telehealth solutions were put into play to counter the impact of the pandemic made them very appealing targets for cyber criminals, as implementations focused more on connecting hospitals, physicians and patients—quickly—than ensuring strong security protocols were in place. Telehealth offered a myriad of weak links that could easily result in major cybersecurity incidents, from email phishing attempts and sketchy work-from-home Wi-Fi networks to the use of unsecure web-based applications and endpoint medical and diagnostic devices.
Any network, application or device that enables a remote connection between patients and healthcare providers represents a data and privacy security risk.
Don’t Wait for a Crisis to Consider Multi-Factor Authentication
Multi-factor authentication (MFA) has been proven to block more than 99 percent of automated cyberattacks. However, hospitals and health systems often wait until they have a security crisis before considering this easy-to-implement and non-invasive technology. And, the cost of waiting can be quite expensive. Estimates of these costs are:
- Breach Notification; An average cost of $210,000
- Breach Response: An average cost of $1.1 million
- Loss of Business: An average cost of $1.42 million
As we’ve said time and time again, stronger cybersecurity begins with proactively preventing unauthorized access to networks, systems, and sensitive data in the first place.
While the financial struggles that hospitals and health systems are facing are well documented, these organizations still need to make cybersecurity a top priority—in order to address their operational, technical and clinical care responsibilities.
In this day and age, hospitals simply can’t afford not to.