Although 2023 is not over yet, it has already emerged as a sadly historic year for healthcare CIOs and IT leaders. This year is “on pace to smash all previous records regarding data theft attacks and ransomware attacks against hospitals and health systems,” according to the American Hospital Association’s national cybersecurity advisor John Riggi.
Riggi points out that already 400 incidents, resulting in the theft of protected health information of 74 million people have been reported to the U.S. Department of Health and Human Services’ Office of Civil Rights, which tracks and investigates healthcare data breaches.
As IT professionals supporting health systems, we are committed to protecting these organizations from the increased volume of cyberattacks – which shows no signs of slowing and numbers our top priority in 2024. It is clear to us that threat actors are expanding their scope of attacks beyond the largest and most prominent healthcare providers and insurers to organizations of all sizes.
Along with those cybersecurity concerns, our organizations are exploring how we can optimize cloud computing across our clinical and administrative departments. Certainly, protecting our data from threat actors is among our cloud computing considerations, but so will how we utilize and manage those systems. We believe these priorities will likely align with those of other health information and IT leaders across the industry, as well.
Cybersecurity’s Human Impact
Another sobering cybersecurity statistic reported this year was that 88% of healthcare organizations experienced an average of 40 attacks in the past 12 months, according to results of a survey conducted by the Ponemon Institute involving 653 IT and cybersecurity professionals. The financial toll associated reached an average total of $5 million, up 13% from the previous year, including $1.3 million due to disruption of healthcare operations.
Most startling, 43% of respondents reported that the data loss and theft from the incidents negatively impacted patient care and 46% of respondents attributed the incidents to an increase in patient mortality. This is an impact that must be emphasized more often when discussing cybersecurity: attacks are not just about financial loss and operational disruption – they contribute to patient harm and even death.
Our emphasis now and into next year is to spread awareness of these facts as well as adherence to security measures across our client enterprises. While such statistics keep us in IS and IT leadership up at night, the same level of concern is not consistently shared by everyone in the organization, both at the senior executive level, to providers and administrative staff whom threat actors target daily. Here’s how leaders in these departments can protect their institutions and patients:
· Continuous training. Even as seasoned IT and cybersecurity professionals, we consistently pursue educational and training opportunities so we remain diligent against the threat facing our client organizations. The same type of policy should be enforced for the clinical and administrative staff at your organizations. Consistent training is not just for obtaining new knowledge, but rather re-emphasizing best practices so they are top of mind. Threat actors are strategically targeting healthcare staff in hopes they will ignore protocols with phishing emails, so they can unleash their malware across a network.
· Minimize risk of human error. Even with the most sophisticated software and hardware safeguards, preventing cyberattacks is ultimately a human behavior issue. To put it in auto safety terms, the best seatbelts, airbags and tires in the world won’t save lives if people still choose to drive recklessly. IS and IT leaders, however, can ease the security compliance burden on their colleagues by limiting the risk of human error. One such tactic can be to advance a Zero Trust security architecture across the enterprise, which includes identity verification steps that cannot be sidestepped, to prevent access to networks or data to unauthorized users.
· Disaster mitigation and continuity plan. Unfortunately, successful cyberattacks seem to be a matter of “when” rather than “if” for healthcare organizations. That means hospitals and health systems should ensure backup servers and applications are available and can be activated quickly if an organization’s main network is shut down by an attack. If a network is compromised, implementing safeguards to protect PHI and other sensitive data through encryption technology can help minimize the impact.
Optimizing Cloud Computing
Certainly, cloud computing can be an asset in ensuring operational continuity after a cyberattack. The Cloud, however, also poses a cybersecurity risk. The Ponemon Institute’s cybersecurity survey results show that 63% of organizations had an average of 21 cloud-related incidents in the past two years, mostly involving project management and video conferencing platforms.
Cloud computing was crucial for operational continuity early in COVID-19 due to so many employees switching to remote offices, a trend that continues today. Since that emergent need for cloud computing across every department and application, organizations are assessing and mitigating potential security vulnerabilities.
Another aspect of that assessment is ensuring that the cloud is truly delivering the cost, efficiency and time savings benefits for staff and providers. In some of the rural areas where we operate, for example, the Cloud is not always accessible and can create obstacles, such as for team members who work from home and have inconsistent broadband Internet access.
Cloud systems also may contribute to technical problems not considered during implementation. Although the servers may be off-premises and owned by a third-party vendor, the data, files and applications within them need to be managed and technically supported internally by an internal professional. Organizations should consider if they have the resources needed to support such an optimization as well as on-going management.
Cybersecurity and cloud computing are just two of several enterprise-wide improvement priorities that we are devoting resources to in 2024. As described earlier, these IS and IT improvements can require specialized skillsets that some institutions may not possess. Working with an IT services partner with deep healthcare knowledge, expertise and experience in the coming year can accelerate progress on these priorities – and many others – to better protect your patients and organizations in what will likely be another tumultuous year in our industry.
Jeff Stravers and Dave Van Bruggen are vCIOs at Anatomy IT, which provides IT and cybersecurity solutions to empower healthcare providers to deliver exceptional patient care.