Healthcare organizations are under attack from all sides of their businesses. We are seeing a major increase in directed ransomware and other cyber-attacks on a variety of healthcare organizations and their partners. These attacks are crippling operations, while also compromising protected health information and other sensitive personal and professional data. With each day, we see more situations where threat actors are disrupting vital services and compromising patient safety and privacy. The damage to an organization’s reputation can be immeasurable. This unprecedented increase in attacks has been on healthcare organizations both large and small, creating greater awareness around healthcare cybersecurity.
These attacks are not focused solely on data, they are going after critical health management and medical support devices too. As increased reliance on technology continues, it is more critical than ever to prioritize cybersecurity in defense and resilience. We know that healthcare organizations spend far less than the average company on cyber, and it is time that this must change!
Here are a handful of reasons why healthcare organizations should invest in robust cybersecurity measures:
- Patient data is often the target of cyber-attacks due to its high value in comparison to others data thieves might be able to take. Health-related data brings a high premium on the black market. By developing appropriate policies and implementing cybersecurity measures to meet those policies, healthcare organizations can better protect patient data.
- Patients’ trust in healthcare organizations can be easily shaken and is vital to the doctor-patient relationship. A breach of that trust caused by a reportable cyber event of any kind, or even a perceived data breach, can be damaging. Few industries are more negatively impacted by eroded trust, so it is important that healthcare organizations do what they can to defend their trust reputation with patients. A robust cybersecurity program can help avoid issues that can damage trust, and in turn, maintain patient confidence in an organization.
- HIPPA and other state/federal regulations can subject U.S. healthcare organizations to financial penalties and legal action by HHS, states’ attorney generals, and individual patients. The direct costs of a breach can be very expensive, such as penalties, lawsuits, legal/PR expenses, forensics, remediation, reporting obligations, and staff time/resources. In many current attacks, ransoms are often demanded as well. The indirect costs can also have a significant impact on the future of the organization, including lost business, government contracts, and even key employees.
- Cyber-attacks have and will continue to disrupt healthcare services. They have caused delays or cancellation of services for patients, and in some publicized cases, this disruption has resulted in additional injury and even death. By investing in cybersecurity, healthcare organizations may better ensure systems and related medical devices are protected and services will remain available and reliable.
- Healthcare organizations are subject to strict and often punitive regulations. Any failure to implement adequate cybersecurity and other privacy measures may result in a determination of willful neglect and cash penalties, with many years of follow-up investigations and auditing.
The bottom line, healthcare organizations have much to lose by failing to invest in robust cyber defenses and resilience measures. By protecting systems that support patient data, and having a tested recovery and operational continuity program, organizations can maintain patient safety and trust while keeping services available. Complying with regulations is a must, but it should not be the sole driver in your organization’s efforts to improve cybersecurity posture. Profitability can be supported by more—not less—investment in proper cyber hygiene and disaster planning.