High Value Target with Low Value Investment
Healthcare's Tech Struggle
The dark web value of a social security number? $1
A clean credit card? $5
A health record? Jackpot.
A whopping $1,000
With those numbers, it should be no surprise that 99% of Healthcare IT Security leaders reported a breach in the last 12 months. The unfortunate follow-up is that while these threat levels are staggering, support for solutions is limited.
When patient care and medical operations are impacted by a cyber incident, facilities are forced to send patients elsewhere resulting in potentially catastrophic consequences.
What seems like an innocuous inability to understand the population of healthcare worker types can drastically delay access to information, facilities, or medical devices preventing critical care.
This scenario isn’t unusual. Technology failures and budget shortfalls are pervasive and impact every industry. During the red, budgets get cut. During the black, money goes everywhere but IT. The rub? Technology intersected our physical sphere and the consequences got real in a hurry. Reducing the budget resulted in the loss of life.
The healthcare industry is a prime target for cyberattacks, increasing 74% from 2021 to 2022. Despite the high risk and high value of the target data, healthcare organizations continue to underinvest in cybersecurity.
So where’s the punchline? Why is there such a persistent struggle with such a visible and tangible impact? As overall IT spending is climbing, why are healthcare budgets still falling?
The consistent key internal complaints about the inability to invest?
- Low profit margins: with the cost of care skyrocketing, healthcare continues to operate on a razor thin margin.
- Conflicting priorities: the burden of choosing to allocate funds to cybersecurity versus patient care.
- Distributed healthcare networks: small providers and clinics are often connected to larger health systems, creating massive security gaps and high platform fees.
- Legacy IT anchor: outdated legacy systems with little to no patching has created a vulnerability and sustainability nightmare.
- Leadership Commitment: little to no executive understanding or support means budget dollars flowing elsewhere.
- Talent shortage: attracting and retaining skilled cybersecurity talent is at an all-time low leaving many teams with significant skill gaps.
As a Cyber practitioner looking in, while the internal complaints are valid, our lack of ability to articulate an impactful operational message has failed us tremendously.
This combination of limited financial resources and human capital has created a vast attack vector but the understanding of that impact is limited. With our goldmine of electronic records and well-funded and skilled threat actors, the battle is intensely lopsided and we’re fighting it alone.
Internal threats to prescription systems also present opportunities to monetize access vulnerabilities. The lack of system redundancy and minimal investments in recovery processes make healthcare organizations prime targets for disruptive ransomware attacks and subsequently puts them right back on the radar for continuous attacks further debilitating our ability to succeed.
Earlier this year, an attack forced Scripps Health to take many systems offline for weeks delaying imaging services for emergency patients. Ireland’s national healthcare system was also crippled by a Conti ransomware attack and the list goes on.
Solutions aren’t easy, or cheap to come by and our story isn’t resonating.
The first move? I’m a broken record…getting executive support and clarifying the message. By truly prioritizing (which means allocating budget) for the investment in cybersecurity and resource expertise, you can make vast progress in protecting facilities operations, securing medical devices, and protecting patient data with a clear and concise message on the impact to operations.
How to make that move? Educating those around you by advocating with the right terms. Speaking to the impact on patient outcomes, the impact to the communities you serve, or the inability to provide patient care moves the priority needle and clarifies the demands on the technology framework supporting your facilities
Finding that data means understanding your risk profile and current vulnerabilities.
- Perform an assessment to increase the clarity of your current and desired state
- Create a plan to evolve with tangible operational goals
- Establish an ongoing process to test, remediate or patch, and pressure cook your applications to increase resiliency and reduce threat levels
- Create rapid response plans for potential attacks to prepare for immediate action
- Ensure the message surrounding these investments depicts the positive outcome of increased care or service and reduced risk
Executing these steps provides an understanding of risks and threats to support your investment needs and keeps cyber in the conversation as a positive contribution to patient care, not detracting from it.
It boils down to patient care.
As a system, if the providers’ pledge is to do no harm and support the communities you serve, ensuring you have the ability to do so with the right technology, equipment, and patient confidentiality in mind is critical.
Failure to invest in proper digital security in the healthcare world causes harm which is in direct contradiction to that mantra. As we approach the continued complexity of what the future of technology for good in healthcare brings, it’s our moral imperative to act. Technical advances in medicine will continue to surge ahead; it is our responsibility to spend just as much effort on leveraging funding and expertise to protect our patients from the harsh reality of the physical threats at our doorstep.