Healthcare’s Cybersecurity Crisis: Why Today’s Defenses Are Failing Against Evolving Threats

Healthcare providers and vendors are learning the hard way that hackers are relentless and resourceful, constantly adjusting tactics and tools and using new technology, including AI, to launch more sophisticated attacks.
The post Healthcare’s Cybersecurity Crisis: Why Today’s Defenses Are Failing Against Evolving Threats appeared first on Above the Law.

Every healthcare system in the United States has its own level of vulnerability to cyberattacks. And each system, to the degree its resources and perception allow, is trying to eliminate those vulnerabilities. But many hospitals don’t have a clear picture of where and how they’re susceptible to attacks.

Systems struggle to meet minimum compliance requirements while lacking the resources or support to implement broader cybersecurity measures. As a result, cybercriminals are breaching the walls with alarming frequency. Consider: 

• The Change Healthcare cyberattack earlier this year has cost parent company UnitedHealth $900 million and affected nearly a third of Americans directly or indirectly
• A May attack compromised healthcare at Ascension, including postponed surgeries, canceled appointments and diverted ambulances
• An HCA Healthcare data hack that affected 11 million patients was the largest in 2023, a year that saw a record 725 breaches

Healthcare providers and vendors are learning the hard way that hackers are relentless and resourceful, constantly adjusting tactics and tools and using new technology, including AI, to launch more sophisticated attacks. Hospital defenses typically lag behind. Cyber defenses that worked a few years ago are no longer adequate. Often, targets are unclear about where and how to upgrade their protection.

Public and private measures

Alarmed by the attacks, the public and private sectors are pressing healthcare systems to do more. Insurers who sell cyberattack insurance are insisting hospitals shore up defenses or lose coverage.

The administration is allocating $800 million for cybersecurity in the proposed FY2025 Health and Human Services (HHS) budget. In addition, there are separate healthcare cybersecurity bills in the House and Senate. The Senate measure would penalize systems that fail to improve their defenses.

New York is the first state to regulate cybersecurity. Its new requirements require hospitals to enact data protection beyond what’s mandated by the federal Health Insurance Portability and Accountability Act (HIPAA). They require healthcare systems to conduct an annual assessment of potential risks and vulnerabilities and establish a cybersecurity program based on that audit, including provisions for reporting, countering and recovering from a data breach. 

In addition, hospitals must have a part- or full-time chief information security officer (CISO) to guide and support cybersecurity measures.

Underfunded and under attack 

Healthcare organizations cannot afford to wait. They must act swiftly and continuously to fend off attacks. However, many systems do not have the necessary budgets, know-how or personnel to accomplish everything they need.

Staffing cybersecurity teams is a particular problem. According to a HIMSS Healthcare Cybersecurity Survey:

• 74% of respondents said recruiting qualified cybersecurity professionals was a challenge
• 47% said a lack of cybersecurity experience or skills was a challenge in hiring
• 38% said a lack of candidates with healthcare experience was a challenge

Along with a shortage of qualified candidates, healthcare organizations often do not have the budget to hire them:

• 43% of respondents said they do not have sufficient budget to hire the staff they need
• 28% said non-competitive compensation was a barrier   

Inadequate compensation, stress and long hours contribute to a retention problem. In the HIMSS survey, 57% of respondents said retaining qualified workers is a problem.

Cybersecurity budgets are rising, however, which could relieve some of the problems.

Third-party risk management

The attacks are not going to stop. 

Healthcare organizations make tempting targets for hackers for several reasons. They hold enormous amounts of patient data, which is particularly valuable because it includes both personal and financial information. Also, they have numerous vulnerabilities, internally and externally, particularly because the data is fragmented and held in multiple locations; and, in the case of ransomware, any interruption to critical operations brings to bear enormous pressure to resolve the situation, even if it means paying a ransom.

Hospitals are most often attacked indirectly through third-party vendors whose software they license. It’s extremely difficult, if not impossible with manual methods, for healthcare systems that work with hundreds of third-party applications to be sure each vendor has adequate defenses and is following cybersecurity best practices.

Even if the vendor is at fault, healthcare organizations bear the brunt of the attack. Fortunately, there are ways they can protect themselves:

1. Risk assessment – Mapping the vendor network, auditing vendors’ security processes and monitoring their security posture on a regular basis.
2. Remediating vulnerabilities – Fixing vendor vulnerabilities identified in Step 1, adjusting liability for direct damages if needed, or replacing vendors who won’t comply.
3. Adapting practices – Putting policies and procedures in place that continue to prioritize third-party risk management, such as integrating security reviews into the buying process BEFORE a purchase has been made.

The need for outside help 

Healthcare systems operate with narrow margins, as they struggle with labor costs and workforce shortages. In this environment, funding requests to bolster cybersecurity must compete with other priorities. Hospital boards can be reluctant to allocate funds because they are unaware of how vulnerable their organizations are. The result is often a patchwork approach to cybersecurity that leaves gaps for attackers. And the approaching wave of government regulations addressing cybersecurity will add to the financial burden on hospitals.

Most healthcare systems do not have the resources or expertise to deploy reliable defenses and stay abreast of all threats. Many find it more efficient to partner with a firm dedicated to cybersecurity and risk management services. Healthcare cybersecurity experts are familiar with hospital technology, business practices, interoperability and the best defenses against cyberattacks. They can provide organizations with a comprehensive view of risk and guide the creation and improvement of a health system’s overall cybersecurity program.

They also help identify and manage third-party risk posed by vendors. These experts can give healthcare organizations peace of mind and allow them to focus on delivering healthcare.  

There is no foolproof safeguard against hackers, but healthcare organizations owe it to themselves, their patients and partners to mount the best defense possible.

Photo: anyaberkut, Getty Images

This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.