How Healthcare Falls Short on Cybersecurity – And How to Catch Up

At a glance:

• Another healthcare crisis: The rapid and unceasing rise in healthcare-related cybercrimes is taking its toll, contributing to widespread patient distrust in providers’ ability to safeguard personal information.
• Do no harm: Patients will always suffer the most when a healthcare provider or business fails to implement effective cybersecurity protocols, so prioritizing patient care must also include prioritizing patient data security.
• Next steps: Healthcare businesses need to make cybersecurity a top priority, from investment strategies to hiring decisions.

Not sure whether your cybersecurity approach is sufficient? Contact Aprio today.

The full story:

2020 was a transformative year for the healthcare industry. The COVID-19 pandemic motivated healthcare providers to get more innovative, causing Healthcare IT companies to experience explosive growth as people across the country embraced telehealth solutions at a rapid rate. These changes helped our healthcare system respond to the unique challenges of a global pandemic, but they also created new, escalating cybersecurity vulnerabilities.

As I mentioned in a previous article on cybercrime, ransomware attacks in the healthcare industry rose 470% between 2019 and 2020. Many cybersecurity experts predict an even greater rise in 2021 and warn that healthcare-targeted cyber crimes are increasing in severity, too – not just frequency. The more digital our healthcare system becomes, the more sensitive personal data is at risk for breaches, theft, and exploitation.

What’s at risk

Hackers can have varying motives behind their attacks on healthcare systems, but the end result is often the same: cybercriminals walk away with highly personal data providing all the information necessary to extort victims. Hackers can use their access to personal health data to:

• Exploit healthcare systems by demanding ransoms
• Blackmail patients by threatening to expose medical history
• Run social engineering scams to access victims’ other personal accounts
• Sell private information to other cybercriminal organizations

The recent ubiquity of these attacks is having a tangible impact on American healthcare systems. Frost Radar recently found that “more than 90% of all healthcare organizations reported at least one security breach over the last three years in the United States,” and this rise in data breaches is directly contributing to patients’ growing distrust in their healthcare providers. A survey from CynergisTek reported:

• 1 in 5 Americans doubt how effectively their healthcare providers protect their health data
• 67% of Americans would sever ties with a healthcare provider over unprotected personal health data
• 5% of Americans would be unlikely to use telehealth services again if their personal health data was compromised

Patient trust is imperative to the efficacy of our healthcare systems, and these statistics reflect a true crisis. In this digital age, effective patient care must be synonymous with effective cybersecurity protocols.

Get back on track

Any business or provider in the healthcare industry already knows that patient data security is critically important, yet many continue to fall short. The same Frost Radar survey mentioned above also found that 61% of healthcare businesses admit to insufficient cybersecurity mechanisms.

The unfortunate reality is that many healthcare industries lack the knowledge and the resources to improve. However, these are not insurmountable roadblocks. Better cybersecurity is possible within the healthcare industry, but achieving that goal requires new, more creative approaches.

Here are a few steps healthcare businesses can take towards improving cybersecurity and rebuilding patient trust:

1. Collect the right data. Your cybersecurity program is only as effective as the data it evaluates. Detection platforms work by ingesting and processing information to identify anomalies that could signal a cyber attack. If you aren’t collecting the right data holistically across the enterprise, your security tools won’t have the critical information needed for early indications of compromise.
2. Prioritize hiring the best cybersecurity talent. Businesses in the healthcare industry have historically undervalued the roles and structure of cybersecurity teams, which directly undermines the effectiveness of any data security measures in place. From structuring your c-suite to your general hiring approach, it’s probably time for an overhaul.
3. Take a cue from other industries. Data security challenges are not unique to the healthcare industry – many other sectors have faced the same struggles, with varying degrees of success. Consider the financial industry: the rapid trend towards mobile banking created unprecedented cybersecurity challenges that were also exacerbated by the pandemic. There are many lessons to be learned here, from implementing digital tools to consumer tolerance limits.
4. Measure security program quality. Cybersecurity protocols are not a one-time implementation; they require frequent assessments to measure their effectiveness against modern security threats. Security programs should be evaluated on the type and quality of the data collected as well as the success rate in detecting true threats.
5. Strive for continuous improvement. Continuous change is the only constant you can rely on in cybersecurity; technology is constantly evolving, as are cybercriminal’s approaches. Assess your security program on a regular basis and prioritize integrating control improvements in a timely manner. Otherwise, you could be putting patient information at risk.

The bottom line

Don’t wait until it’s too late to improve your healthcare business’s cybersecurity strategies. The steps I outlined above may seem overwhelming at first, but you don’t have to undertake this process alone. Consider working with an advisory team, like Aprio’s Digital Transformation and Cybersecurity Advisors, that can evaluate your current strategies, recommend improvements, and help you implement new mechanisms that better align with your goals and patients’ needs.

Contact us today to schedule a consultation.

Related resources

• Is your company equipped for a ransomware attack?
• Video: A cybersecurity checklist for your remote workers
• What to expect from a cybersecurity investigation