Cybersecurity challenges hobble healthcare
An ounce of prevention, goes the saying, is worth a pound of cure. The healthcare sector has learned the truth of that the hard way — again and again and again. In an industry charged with handling some of the most sensitive user data out there, robust cybersecurity is mission critical. So why do costly data breaches in healthcare keep making headlines?
Healthcare is among the top sectors targeted by cyberattacks, and the industry’s shifting technology landscape leaves even broader exposures. In recent years, threats have grown both more sophisticated and more consequential, increasing not only costs (an average of over $10M according to IBM), but even patient mortality.
What about healthcare has made it so vulnerable? Why has cybersecurity been a growing challenge for the sector?
Healthcare’s old and new cybersecurity challenges
Few industries are as consistently on the bleeding edge of technology as healthcare. It’s an industry that’s constantly leveraging emerging technologies, including wearable health technologies and the Internet of Things (IoT), as well as mobile- and cloud-based applications. But healthcare has gone through even more dramatic changes since 2020, too, in no small part because of a COVID-fueled adoption of remote access to telehealth services and medical records — often from a user’s personal device. Any new technology creates new cybersecurity exposures, and healthcare’s overlapping infrastructures, third-party integrations, and disparate device ecosystem leave these vulnerabilities open for bad actors.
The risk doesn’t lie just with novel systems and technologies, either. Legacy software and dated devices are, as the FBI has noted, susceptible to cyber attacks. That includes pacemakers, insulin pumps, intrathecal pain pumps, intracardiac defibrillators — tools that were not initially built with security in mind but, it turns out, need special patching and upgrading procedures.
Indeed, per the FBI, there are an average of 6.2 vulnerabilities per medical device. The stakes, the agency declares, are high: “Malign actors who compromise these devices can direct them to give inaccurate readings, administer drug overdoses, or otherwise endanger patient health.”
Yet when it comes to modernizing the industry’s flagging platforms and devices, we all know where the inertia comes from: budget and buy-in. Updates require resources and collective will for not just hardware and software, but upskilling staff and regulatory compliance certifications. All of that can be a tough sell for healthtech and healthcare businesses with tight budgets or complacent executives.
In short, the current cybersecurity challenges in healthcare come from a number of vulnerabilities, old and new, including:
- Highly sensitive data
- An ever-evolving tech landscape
- Lack of buy-in and undertraining
- Budget constraints
Sensitive data is valuable data
Why are US healthcare companies the primary target of so many system attacks? Cybercriminals aren’t phishing for the love of the game, but rather for ROI — call it their return on immorality — and it’s the unfortunate truth that the more personal and sensitive a piece of data, the more value it has.
Unfortunately, medical data is among the most valuable, by some measures worth up to 50 times the value of a person’s credit card data. It also has a much longer lifespan: For years on end, a stolen health record can be used by a bad actor to receive treatment, get prescriptions, or file false medical claims. Given that medical data is inseparable from the healthcare industry writ large, products and systems that store and handle such sensitive information must contend with this larger target and be prepared for the worst.
New tech, same old mistakes
While telehealth is down from its COVID-induced peak, it’s now used far more often than before the pandemic — up to 38x more than the pre-pandemic baseline. That fits into a larger trend within the industry: a move towards care management from personal devices and cloud-based programs that make healthcare more seamless and accessible. This digital transformation is nothing new in healthcare, which has already undergone a thorough — though not complete — migration to electronic health records (EHRs).
Technology innovation is the lifeblood of the industry, and the industry is only growing more interconnected. Yet from emerging technologies to established solutions, the many systems and platforms that medical data is collected, shared, and stored on only introduces more vulnerabilities, as well as more room for error on part of both systems and users.
Undertraining in staff and users
Smartphone use has become ubiquitous, and healthcare is no exception. Users today — patients, providers, and industry professionals — expect care to be quick, seamless, and accessible from their personal devices. That presents opportunities for increased efficiency and engagement — and human error.
Indeed, an analysis by Verizon of over 23,000 incidents found that the human element contributed to 82 percent of cybersecurity breaches, yet nearly a quarter of healthcare employees reported that they received no cybersecurity training. Given that pairing of risk with inadequacy, it’s incumbent on healthcare organizations to educate both professionals and patients on the importance of cybersecurity and the potential risks and consequences of security breaches.
Budgetary constraints and lagging systems
Healthcare organizations have a lot of use cases for emerging tech, and a lot of dated, vulnerable legacy systems, too. Given the labor and expense associated with updating these systems and improving cybersecurity infrastructure, it’s understandable that hospitals and other healthcare organizations are hesitant to commit. This lack of commitment is reflected in budgets; over half of hospitals in 2021 spent less than 10 percent on cybersecurity, according to an industry survey.
But with the average breach costing healthcare organizations over $10M, the price of that negligence is higher. As attacks become more common and costly, protecting medical data becomes more than a moral imperative: It becomes smart business.
Fundamental strategies for cybersecurity in healthcare
Despite myriad challenges, healthcare companies have options to ensure a more secure environment for the data of their users, patients, and providers.
Network segmentation is a proven strategy for reducing the risk of cyberattacks. By dividing information and data across your business’s technology system into segments, you’ll be able to ensure increased security and reduce the risk of a breach compromising data across your entire system.
Migration to secure cloud programs
Migrating from a legacy system to a cloud system takes a lot of work. But by transporting all of that information to a third-party, you’ll be able not only to ensure increased (and HIPAA-compliant) security from the start, you’ll also be well positioned to scale services and infrastructure as you grow.
Staff education and training
Cybersecurity awareness is a critical component of cybersecurity itself. Education and training will continue to be a crucial aspect of healthcare cybersecurity in 2023. With the increasing number of threats, it's essential that healthcare organizations provide regular training and education to their staff on cybersecurity best practices to foster a culture of security awareness.
Healthcare’s embrace of new technologies has been a double-edged sword: While interconnected systems and tools have democratized care management, increased efficiencies, and made care management a seamless do-it-from-anywhere experience, it has also left the industry rife with exposures and vulnerable systems.
Protected patient data is healthcare’s next great innovation. To address cybersecurity challenges in the healthcare industry, companies must bolster the buy-in, budgeting, and architecture for their risk management — the costs of doing otherwise will only continue to rise. Allocating for a robust cybersecurity budget may be a bit less complicated than inventing anesthetics, but that doesn’t make it painless.