Ransomware attacks can endanger patients and costs health systems millions. Experts say the C-suite is more engaged on the issue.
Hospitals have been dealing with cyberattacks with disturbing regularity in the last few years.
Yes, hundreds of data breaches involving hospitals and healthcare organizations have been reported in 2023. But there are indications that the industry is making progress.
Mike Hamilton, founder and chief information security officer of Critical Insights, a cybersecurity firm, says he thinks the industry’s cybersecurity defenses are improving, largely due to some powerful motivation from leaders.
“Is healthcare getting better at security? They are because, notably in the C-suite, they've got the fear of God in them now,” Hamilton says.
Hospitals face heavy costs from ransomware attacks. The average healthcare data breach cost nearly $11 million, according to an analysis by IBM Security. Health systems must invest time and money restoring systems and maintaining patient care if they don’t have access to key systems, such as their electronic health records. They also face the threat of lawsuits and fines if there's a breach.
Hamilton says healthcare leaders are also paying attention because, "The threat activity is so high."
Cyberattacks also pose risks to patient safety, if hospitals have to delay procedures or treatments due to the disruption. When Scripps Health suffered a costly ransomware attack in 2021, some patients had to be transferred to other facilities.
John Delano, vice president at CHRISTUS Health and healthcare cybersecurity strategist at Critical Insight, says he’s seen health systems doing more to protect themselves and their patients.
“I do think that there is a better focus today than in years past on spending money for cybersecurity,” Delano says. “I primarily live in the not-for-profit, healthcare world. So our margins are very, very small. And you know, it is a challenge to continue to get funds to fund cybersecurity.”
Hospital boards are asking more questions about cybersecurity, Delano says.
“Security is starting to be reported out at the board level,” Delano says. “They're engaged and taking an interest. So all that stuff is good and great. But the costs are the big challenge.”
About half of all hospitals finished 2022 with negative operating margins, according to Kaufman Hall, the healthcare consulting firm. Many are likely to continue to struggle with modest margins for the foreseeable future, analysts project. So paying for cybersecurity is likely to remain difficult, even with the pressing need.
Mike Britton, chief information security officer for Abnormal Security, a cybersecurity firm, says the healthcare industry lags behind other critical sectors, including the financial sector. Large banking and financial services firms typically have multi-million dollar cybersecurity budgets, he says.
Britton says in his conversations with healthcare IT leaders, he knows funding is a consistent battle.
“I think there's a lot of really well-run healthcare organizations that put the time and attention and funding into keeping their environment, their company, their patients safe from a cybersecurity perspective,” Britton says. “But there's also a lot of smaller healthcare organizations that don't have that luxury.”
In the past, criminal gangs were leery of targeting hospitals and healthcare providers, because even bad actors didn’t necessarily want to endanger lives, says Nick Hyatt, the practice manager for Optiv's Global Threat Intelligence Center.
While some ransomware gangs still adhere to a sort of honor code when it comes to hospitals, others are more motivated by the money, and they know some hospitals will pay if they’re attacked. Federal law enforcement agencies strongly urge hospitals against paying a ransom, but even cybersecurity analysts concede it’s a difficult decision.
“We have a high comfidence level that this is not going away,” Hyatt says. “Ransomware makes money.”
Hyatt says he sees some hospitals making strides in cybersecurity.
“There have been some healthcare organizations that I've worked with that are very mature,” Hyatt says. But he’s worked with other smaller healthcare providers that may employ just one person to manage information technology, or perhaps someone who can devote part of their time to cybersecurity.
Hospitals have unique challenges compared to other sectors, says Limor Kessem, a senior cybersecurity consultant for IBM Security.
“It's a big attack surface, and it's very diversified. it's really hard to protect it,” Kessem says.
Hospitals manage enormous amounts of private health information and a mission to serve patients. Hospitals also require FDA approval for upgrades or patches to address vulnerabilities in medical devices, and the wait for the approval can be lengthy, Kessem says.
Security experts stress that CEOs and boards must be heavily engaged on cybersecurity. Hamilton and Delano both described it as “mandatory.”
“It is required to have that leadership engaged all the way up to the board level to ensure that you're working your plan,” Delano says. “Most organizations have a multi-year security strategy. And if done right, the board is holding the organization accountable to meeting that strategy.”
John Riggi, the American Hospital Association’s national advisor for cybersecurity and risk, says he sees hospital leaders demonstrating a greater awareness of the dangers of cyberattacks.
“They all understand that the first priority of any cybersecurity program in healthcare is patient safety,” Riggi says. “They understand that the number one risk posed by cyber risk is the risk to patient safety, because of the disruption and delay to healthcare delivery.”