The healthcare sector has been increasingly targeted by cyberattacks causing many challenges to often stretched thin security teams. Protecting patients at hospitals, clinics, and other settings is their mission and at the core of why a mature cybersecurity model is so critical. Cyberattacks can force hospitals to resort to pen and paper methods of care or ambulance diversion. These actions can then potentially cause patient harm through delayed availability of information, access to systems and impact to patient care.
According to CHIME, 15% of healthcare CISOs reported a patient safety incident tied to a cyber event, and 10% said their organizations needed to divert patients to another care setting due to a security incident. ECRI echoes these statistics and states that cybersecurity incidents don’t just interfere with business operations—they can disrupt patient care, posing a real threat of physical harm.2
“Cybersecurity incidents don’t just interfere with business operations—they can disrupt patient care, posing a real threat of physical harm.”— ECRI
Protecting patient data is also essential for their privacy and maintaining healthcare trust. Patient faith in hospitals and clinics may never be restored after a breach occurs. While CISOs and their SecOps teams are trying to keep cyberattacks from reaching patients, they are facing risks on multiple fronts. Here are the top five risks they have to manage in 2022.
1. Budget Constraints
According to HIMSS, typically, better security posture requires more money.3 Unfortunately, on average, healthcare cybersecurity organizations have not received the funding they need and often spend. Four to seven percent of a health system’s IT budget is in cybersecurity, compared to about 15% for other sectors such as the financial industry.4 Pre-pandemic competing operational priorities have been further inflamed by the Covid-19 impact on budgets.
These constrained budgets have been the common thread challenge for technology acquisition, skills gaps, and staffing shortages. A 2021 HIMSS Study states that budgets are still the biggest security challenges for many respondents at 47%.3 This means that many healthcare organizations cannot afford everything they need so they must pick and choose what to maintain, upgrade or acquire. Rural hospitals have particularly small budgets and if they have to divert an ambulance, the next hospital may be very far away, putting a patient’s life at risk.5
2. Targeted Ransomware
Healthcare has been an increasingly desirable target due to their likelihood to pay high dollar payouts. Malicious attackers also know that hospitals cannot function if their networks are down and are therefore more likely to pay a ransom. According to a recent survey, 48% of hospital executives reported either a forced or proactive shutdown in the last 6 months as a result of external attacks or queries.6
The impact of ransomware has also led to reputation damage and unprecedented ransom payouts. In 2021, the average 2020 ransom healthcare payout was $910,335.7
Ransomware events have severely impacted downtime costs at hospitals. For example, recent research has demonstrated that midsize hospitals averaged nearly 10 hours at $45,700 per hour.6 HHS reports that the average Healthcare and Public Health bill for rectifying a ransomware attack – considering downtime, people time, device cost, network cost, lost opportunity, ransom paid, etc. – was $1.27 million.8
Insurance companies have also responded to the increasing ransomware events in order to maintain their business interests. The U.S. Government Accountability Office (GAO) also found that the growing number of cyberattacks has led insurers to reduce coverage limits for some industry sectors, such as healthcare.9
Ransomware gangs are now operating more like professional businesses and are increasingly outsourcing certain functions to specialist cybercriminal groups, who assist with payments, negotiations, arbitration, and provide 24/7 help centers for victims.10
“Hospitals’ systems were already fragile before the pandemic. Then the ransomware attacks became more varied, more aggressive, and with higher payment demands.”11— Josh Corman, Head of the Cybersecurity and Infrastructure Security Agency (CISA) COVID-19 task force
3. Staffing and Skills Gaps
On average, it takes about 118 days to fill healthcare cybersecurity job positions (almost three times as high as the national average for other industries).12 These shortages can lead to burnout on the cybersecurity team.
Covid-19 caused an unprecedented burden on the healthcare system that resulted in increased cybersecurity staffing shortages. The pandemic presented new opportunities to work from home which created a lot of competition in the market. A recent ISC² analysis indicated that of 4,753 surveyed cybersecurity professionals, only 4 percent of respondents worked in healthcare, pointing to a more extreme need for workers in this sector.13
In a recent survey, 75 percent of responding health system CISOs said that experienced cybersecurity workers are unlikely to choose a career path in healthcare because of the potential ramifications after a cyberattack.12
The right specialized skills may be difficult to find. High level experience and expertise may be hard to fill on a limited security budget.
4. Cost of Data Breaches
If constrained budgets weren’t enough of a challenge for healthcare CISOs, they also face increasing HIPAA penalties, rising cybersecurity insurance premiums, and impact costs to operations. The Department of Health and Human Services’ Office for Civil Rights’ breach portal shows 686 healthcare data breaches of 500 or more records in 2021.14 These breaches involving ePHI are considered HIPAA reportable events and typically come with hefty penalty costs.
Healthcare was the top industry in average total cost of a breach for the eleventh year in a row. The average total cost for healthcare breaches increased by 29.5% to $9.23 million in 2021.15
5. Expanded Attack Surface
Increase in connected medical devices, adoption of remote/ hybrid work and M&A activities have resulted in expanded attack surface that healthcare leaders need to manage.
Large hospital systems with enormous amounts of medical devices connected to their networks are particularly vulnerable to potential exploits. A concerning statistic from the Open Source Cybersecurity Intelligence Network and Resource (OSCINR) reports that 60% of all medical devices are unpatchable.16
According to a 2021 AHA report, telehealth providers had experienced an increase in targeted attacks as telehealth’s popularity skyrocketed with a 117% increase in website/IP malware security alerts and a 65% increase in security patching of known vulnerabilities.17
Learn How Deepwatch Can Help
SecOps teams can do more with less by leveraging smart spending. One of the fastest ways to mature a SOC’s security posture and optimize security investments is to partner with a trusted MDR (Managed Detection and Response) partner that can provide U.S.-based 24/7/365 security monitoring, threat detection, and rapid response. Staffing shortages and burnout can be alleviated when a partner is a natural extension of a healthcare organization’s internal SOC that is responsive and helps tailor solutions to challenges an organization faces.
Deepwatch understands the healthcare security risks and tailors to an organization’s unique needs. Learn about expert-led managed security with Choosing a Managed Detection & Response Partner for Your Healthcare Organization