There is no one who isn’t feeling the economic pain of this pandemic,and looking at ways to conserve resources and cash, but there are several reasons why cutting security is one of the last things you should do.
Many health systems in America are running flat out due to extended emergency mode operations. They have been introducing new remote computing and communication capabilities, and extending their supply chains even further than ever before. Even routine activities such as staff meetings, rounding, and board meetings are relying on the network and communications to be accomplished. All clinically non-essential personnel have been sent home to work and are learning how to accomplish their tasks like paying bills, receiving payments, HR tasks, etc., and remotely relying on that same network and communications.
To make this work, health systems are expanding information capabilities, introducing new technologies, and novel ways to share information between patients, providers, and researchers. Now when health systems need to rely on their information backbone more than ever to support operations, reducing security and elevating risk is the last thing we want to consider.
At some point the effects of this pandemic are going to subside, or at the very least settle into a new norm, and recovery is going to be critical to the long term viability of every concern. When that occurs we are going to need all aspects of the system functioning as efficiently and reliably as possible to support recovery. So when we are going to want to put our foot on the accelerator and get back to positive growth as soon as possible we can least afford a cyber incident. The cost of cyber incidents has been steadily rising, and one health system hit with ransomware that caused a two-week outage of systems estimated it took nine months to get back financially where they were prior to the incident. Having this occur during recovery could have a devastating effect.
Every health system I have talked with across the country are experiencing unprecedented change in their information and communications environment as a result of the pandemic and the need for social distancing. These changes include new business models for critical processes, increased remote connectivity, greater supply chain reliance and acceleration of technology adoption such as telehealth. Change in any IT environment always elevates risk. Most organizations are barely keeping up with cybersecurity needs and times like these organizations are likely to experience having less than what they optimally need. Again—it’s not the right time to pull back.
Now is the time to invest in security--not just because it’s needed, but because now is when organizations can negotiate the best cost. Now is also the time to avoid cost, if at all possible, as outages or incidents drive costs up. This pandemic did not just affect healthcare; it has affected all businesses across all verticals, security included. Now is the time to look to managed services as a vehicle to not only get the support you need, the extended bandwidth, but also the ability to negotiate more favorable terms. Don’t hesitate to ask for favorable terms such as price forgiveness or price reductions on the front end of multiyear terms, with recovery for the vendor later in the agreement. Negotiating favorable terms now means avoiding cost in the short-term without sacrificing support. Now is when I need the support and the cost cuts. The other cost avoidance that is always with us is associated with avoiding a cyber incident.
During an episode such as this one, the national health network becomes the most visible, and the reliance health systems have on one another has never been clearer. Our responsibility to one another, as members of a community of health providers, becomes very apparent. In security we talk of trusted environments or trusted systems, and this refers to the ability to operate and share information with confidence because all members of the group have adopted a minimal level of security.
This is critically important as we look to map the spread of the virus, identify the trail of an infected person, or push and pull information from health systems all over the country to mitigate the impact of the virus. There is another more basic responsibility we share and that refers to reliability of care. When many health systems are operating at max capacity the last thing that anyone needs is for a health system to suffer a major outage as the result of a cyber incident. Ransomware attacks, for instance, have caused health systems to be offline for more than two weeks, having to divert patients during that episode. When capacity is stretched thin there may not be anywhere to divert patients putting them at greater risk.
Cyber criminals don’t care that you absolutely need your systems to perform right now, that patients or the public may be put at risk, and that your staff is stretched to its limits and exhausted like never before. They don’t care that you are trying to recover now that the storm has passed. They see these circumstances as opportunities for weakness that can be exploited, as times when you might take your eye off the bigger picture, and as times of opportunity because we’re focused on what is happening and not cyber hygiene.
The number of scams, phishing attacks, and ransomware attempts targeting healthcare have increased during this pandemic as cyber criminals hope to exploit all of the distraction. Now more than ever, security must be vigilant in monitoring the effectiveness of controls, in identifying risks associated with changes in the environment to the education of users, and in monitoring threats. Now is certainly not the time to reduce security spending.
When budget cutting is contemplated there are those who believe security is optional; it is not. Cybersecurity is essential, and smart organizations prioritize security spending with operational spending. This is never more true than during times of stress like this pandemic. This is the time that health systems can least afford an incident, when patients can least afford them to have an incident, and when more support is key to success. It’s also the time of opportunity for the smart leader, as cyber companies are likely to be most flexible in the pricing approaches. Security in a crisis is just like the market--while it may not seem logical, now is the time to buy. But if you must cut, do so surgically.
Mac McMillan is CEO Emeritus of CynergisTek, Inc.
