Cybersecurity attacks continue to rise in the healthcare industry. Organizations face not only a growing number of threats but also an increasing variety. Hackers are constantly developing new ways to access and steal the highly valuable patient data created, shared, and stored by healthcare organizations.
A successful attack can be devastating for businesses. If systems are breached, an organization might need to pay millions of dollars in regulatory fines, legal fees, and IT costs. At the same time, the damage done to that organization’s reputation can mean millions more in lost revenue.
Despite the very real possibility of costly attacks, too few organizations are adequately prepared. The average healthcare organization spends only about 5 percent of its IT budget on cybersecurity, with the rest used for adopting new technologies.
If your organization has survived previous attacks—or is one of the relatively few that hasn’t yet experienced one—the time to focus on cybersecurity is now. Strengthening your security strategy and bolstering regulatory compliance can help keep your organization in business.
In this blog post, we’ll explore why healthcare organizations are such a frequent target for cyber criminals and highlight the unique challenges that healthcare IT groups face in protecting sensitive, highly regulated information.
Why are healthcare businesses targeted more?
Healthcare organizations are targeted by cybercriminals more than organizations in any other industry—even the financial services industry. In 2020, cybersecurity attacks on healthcare organizations accounted for 79 percent of all attacks, with the number of attacks on those organizations continuing to rise significantly at the end of that year.
Cybercriminals target healthcare organizations because of the tremendous amount of personal information that these organizations possess. Providers and payers handle electronic records that contain not only protected health information (PHI) but also personal identifiable information (PII) such as names, addresses, phone numbers, social security numbers, bank account numbers, credit card numbers, and more. If hackers can access this information, they can sell it to fraudsters and other criminals for large sums of money.
What are the costs of cyberattacks for healthcare organizations?
When healthcare organizations do suffer a breach, the financial impact alone can be disastrous. Organizations might need to pay regulatory fines and legal fees while also spending money to recover data and rebuild systems. According to IBM, data breaches cost healthcare organizations an average of $9.23 million in 2021—it was the highest average cost of any industry.
The cost is also rising. The average cost of a breach increased by 29.5 percent from 2020 to 2021—and there’s no indication that it will decline any time soon.
Given the high cost of attacks, it might not be surprising that many businesses do not survive them. Across industries, small and medium-sized businesses are often highly targeted for attacks because hackers believe that these companies are more vulnerable. And when small businesses are attacked, approximately 60 percent are forced out of business within six months.
What are the unique challenges facing healthcare organizations?
Maintaining adequate cybersecurity can be difficult in any industry. But healthcare organizations face some unique, additional challenges compared with businesses in other fields.
Healthcare organizations must not only prevent cyberattacks but also follow strict regulatory rules. In healthcare, cybersecurity and regulatory compliance go hand in hand. Organizations that create, share, transmit, or store individually identifiable health information must comply with the security and privacy rules stemming from HIPAA (the Health Insurance Portability and Accountability Act of 1996).
Beyond following those rules, organizations are increasingly required to prove their compliance through HITRUST certification. A growing number of hospitals and other institutions require their vendors to carry HITRUST certification so the hospitals can assure partners and patients that sensitive data will stay secure.
Earning HITRUST certification, then, offers an important means of competitive differentiation for many organizations. At the same time, maintaining HIPAA compliance and achieving HITRUST certification can help organizations better protect themselves against attacks. Going through the rigorous certification process and implementing the numerous security controls required for certification can help significantly reduce the likelihood of a successful cyberattack.
What is the current state of cybersecurity in healthcare?
Cybersecurity threats in healthcare continue to evolve. Until recently, healthcare organizations suffered most frequently from internal misuse of data—ranging from inadvertent unauthorized access of records to outright theft of data with malicious intent. But today external attacks account for 51 percent of breaches.
Those external attacks use a widening variety of methods. Healthcare businesses are subject to phishing, malware, ransomware, network intrusions, and even hacking of physical devices—including the growing number of Internet of Things (IoT) devices used in healthcare. Cybercriminals might attack healthcare organizations directly or try to gain access to large organizations through smaller, less-protected partners.
Meanwhile, many healthcare organizations have IT environments that leave them particularly vulnerable. Organizations with legacy systems are not able to implement updates and patches that could protect data from the latest types of attacks.
The continued use of legacy systems might be one of the reasons that HIPAA compliance is less than perfect across the industry. According to an estimate from 2019, about 28 percent of healthcare organizations do not comply with the HIPAA Security Rule.
Organizations that are “born in the cloud” or have migrated to the cloud might appear to be better prepared to take on cybersecurity threats. Cloud service providers (CSPs) often use the latest systems and offer more advanced security capabilities than organizations can cost-effectively implement on their own. Still, selecting the right security capabilities and configuring those capabilities correctly can be complicated, time-consuming tasks.
Maintaining HIPAA compliance and earning HITRUST certification for organizations that have cloud environments can be similarly daunting. In many cases, healthcare organizations operating in the cloud benefit from working with experienced managed service providers (MSPs) to optimize IT security and streamline certification.
Start strengthening cybersecurity and improving compliance now
Digitalization in healthcare has produced some important benefits. In fact, 75 percent of healthcare providers report that electronic healthcare records (EHRs) alone help them deliver better patient care. Patients are taking more control of their healthcare with easier access to electronic records. And payers are gaining opportunities to identify trends and enhance efficiencies by analyzing large volumes of healthcare data.
The healthcare industry should not slow the momentum of digitalization. But as organizations generate, store, and share more sensitive patient data, they must place cybersecurity among their highest priorities.
Whether your organization needs to move away from poorly protected legacy systems or better safeguard cloud environments, working with outside experts is often the fastest, most cost-effective way to improve cybersecurity. You can prepare for evolving threats, maintain compliance, and achieve certification while remaining focused on innovation.
Learn how the HITRUST framework can protect your business. Download the free Guide, HITRUST is an Investment with Immense ROI: Why You Can’t Afford to Go Uncertified. Or connect with a Cloudticity expert today to learn how we can help secure your business with managed cloud services for healthcare.