Shields up! The importance of cybersecurity for hospitals and healthcare organizations
Just as healthcare professionals seek to provide patients with high-quality patient care, healthcare organizations must also address vulnerabilities in their digital infrastructure to protect patient data.
In 2021, the FBI’s Internet Crime Complaint Center received 649 complaints of ransomware attacks for organizations that belong to a critical infrastructure sector. Among the 16 critical infrastructure sectors that reportedly fell victim to cyberattacks in the United States, health systems and hospitals were by far the most frequent victims, with an astounding 23% of all complaints. The healthcare sector also had the highest average total cost of a data breach at $9.2 million compared to an industry average of $4.2 million, according to an IBM security report from 2021.
The healthcare sector is a prime target for cybercriminals. This is because healthcare organizations possess a significant amount of sensitive data to maintain patient care and sustain operations, and this confidential healthcare information is far more lucrative to cybercriminals than credit card information. In fact, stolen health records may sell for up to 10 times more than stolen credit card information.
To make matters worse, the development of the industry’s electronic medical records over the last decade and a half has made it easier for cybercriminals to find vulnerabilities and points of entry into a hospital’s records and IT systems. Although a more digitized healthcare infrastructure has led to unprecedented connectivity and allows for major advancements in patient care, it also creates more opportunities for broad-based attacks as automated technologies permeate more stages of the patient care process.
Given the increased frequency of cyberattacks, many federal agencies and healthcare organizations have issued alerts about bolstering cybersecurity. S&P Ratings recently warned U.S. organizations to be on heightened alert, given potential cyberattacks from Russia against countries that have provided support to Ukraine. The American Hospital Association (AHA) and Health-Information Sharing and Analysis Center issued a joint advisory recommending that healthcare organizations identify and consider blocking any direct or third-party business associates and email contacts based in Ukraine and the surrounding region. Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) and FBI issued a joint advisory in February 2022 providing guidance on how U.S. organizations can detect potential threats and protect their network, recommending all organizations assess and bolster their cybersecurity.
According to a HIMSS Cybersecurity Survey in 2020, cybersecurity is underprioritized by many healthcare organizations due to tight IT budgets that must compete with other hospital priorities and expenses. On average, hospitals spend about 5% of their IT budget on cybersecurity with the remainder spent on new technologies. This has caused the healthcare industry to fall behind other sectors in cybersecurity prevention, and, as a result, many organizations have paid steep costs to mitigate a threat after suffering an attack. Although studies have revealed that organizations that prioritize cybersecurity through proactive investments experience long-term savings, it is often difficult for healthcare organizations to justify cybersecurity spending when faced with other competing priorities, such as industry wide staffing shortages, significant increases in expenses exacerbated by inflation levels not seen in over 40 years, or the implementation of measures to manage the challenges associated with a global pandemic.
In light of the development of a more digitized healthcare infrastructure that increases vulnerability for attacks, compelling financial incentives to sell stolen health records, and underfunded cybersecurity budgets, our country’s healthcare system will continue to be a primary target for cybercriminals. As cybercriminals have become increasingly more sophisticated and their attacks more damaging to society, the crime itself has also evolved from one motivated by financial gain to an act that threatens patients’ lives and public health. Hospital efforts alone are not enough to combat cybercriminals and the geopolitical forces that lead to cyberattacks against their organizations. Federal agencies and policymakers must work collaboratively with healthcare organizations to strengthen the regulatory environment for healthcare security and develop standards that organizations can easily navigate and adopt. Nevertheless, the best defense against cybercriminals begins with establishing a culture that prioritizes and aligns cybersecurity with patient care. This allows healthcare organizations to leverage their existing culture of patient care where healthcare professionals are stewards and defenders of patients and their data. CISA recommends that all organizations adopt a heighted posture when it comes to cybersecurity and provided free cybersecurity services and tools to improve cybersecurity risk management. These resources are sourced from a wide variety of federal agencies, government partners, and other organizations and are categorized into four goals:
- Reducing the likelihood of a damaging cyber incident
- Detecting malicious activity quickly
- Responding effectively to confirmed incidents
- Maximizing resilience
Putting these steps into action will help all organizations make progress towards improving cybersecurity and mitigating threats. Just as healthcare professionals seek to provide patients with high-quality patient care, healthcare organizations must also address vulnerabilities in their digital infrastructure to protect patient data. After all, even computers are susceptible to viruses.
The information contained in this report was obtained from various sources, including third parties, that we believe to be reliable, but neither we nor such third parties guarantee its accuracy or completeness. Additional information is available upon request. The information and opinions contained in this report speak only as of the date of this report and are subject to change without notice.
This report has been prepared and circulated for general information only and presents the authors’ views of general market and economic conditions and specific industries and/or sectors. This report is not intended to and does not provide a recommendation with respect to any security. Cain Brothers, a division of KeyBanc Capital Markets (“Cain Brothers”), as well as any third-party information providers, expressly disclaim any and all liability in connection with any use of this report or the information contained therein. Any discussion of particular topics is not meant to be comprehensive and may be subject to change. This report does not take into account the financial position or particular needs or investment objectives of any individual or entity. The investment strategies, if any, discussed in this report may not be suitable for all investors. This report does not constitute an offer, or a solicitation of an offer to buy or sell any securities or other financial instruments, including any securities mentioned in this report. Nothing in this report constitutes or should be construed to be accounting, tax, investment or legal advice. Neither this report, nor any portions thereof, may be reproduced or redistributed by any person for any purpose without the written consent of Cain Brothers and, if applicable, the written consent of any third-party information provider.
Cain Brothers, a division of KeyBanc Capital Markets” is a trade name of KeyBanc Capital Markets Inc. Member FINRA/SIPC.
KeyBanc Capital Markets Inc. and KeyBank National Association are separate but affiliated companies. Securities products and services are offered by KeyBanc Capital Markets Inc. and its licensed securities representatives. Banking products and services are offered by KeyBank National Association. Credit products are subject to credit approval. Copyright ©2022 KeyCorp.