It is impossible to separate cybersecurity efforts from dollars-and-cents concerns. Healthcare organizations have limited resources available for technology, and at most organizations, cybersecurity only accounts for a small minority (4 to 7 percent) of total IT budgets.
After organizations suffer a major breach, it's usually a simple task to convince executives to beef up cybersecurity solutions. But for hospitals, clinics and other healthcare providers that have escaped major incidents, it can prove difficult to persuade stakeholders outside of the IT and IS departments to view cybersecurity as a top priority. They may believe that, because patient data has remained safe thus far, the existing tools and processes must be working.
How can IT and security professionals convince other stakeholders to improve an organization's security posture before it's too late?
Reframe the Cybersecurity Conversation for the C-Suite
One way to garner C-suite buy-in on the importance of data security is to frame it as an investment rather than a cost. For instance, when the new CIO of a medium-sized academic medical center convinced other executive leaders of the importance of security, they invested nearly $8 million on cybersecurity assessments, investments and remediation, including three new full-time staff. To convince them, he demonstrated the potential cost of a successful breach — not only fines and lawsuits, but a hit to the organization's reputation among patients and the larger community.
As it happens, the health center suffered a small breach about six months into the new CIO's tenure. The breach, which affected about 3,000 patients, was caused by an error rather than a hack. Because the organization could demonstrate its remediation plan, it suffered no fines.
What Breaches Cost Healthcare Organizations
When presented with broader industry numbers about the costs of cyberbreaches, most stakeholders will be forced to acknowledge that insufficient early investment in security could be costlier in the long term. A report about cyber claims notes that healthcare claims made up only 17 percent of total cyber claims in 2017, yet those claims accounted for 28 percent of total breach costs, which suggests that successful attacks on healthcare providers cost organizations more than breaches in other industries.
According to the report, on average, 1.6 million records were exposed in a healthcare breach. Breaches that exposed personally identifiable information were far more common (5.2 million records) than breaches that exposed protected health information (386,000 records).
The industrywide numbers are even higher. In its 2017 report on cybercrime in healthcare, Trend Micro estimates that cyberattacks against hospitals, clinics and doctors cost the U.S. healthcare industry more than $6 billion each year, with an average breach costing a hospital $2.1 million.
Often, the headline-making dollar amount is far lower. For example, when Hollywood Presbyterian Medical Center suffered a ransomware attack in 2016, it was widely reported that the hospital paid the equivalent of $17,000 in cryptocurrency to regain access to its data. While this number may seem manageable, it fails to consider the lost productivity of clinicians or the resulting public relations fiasco. The hospital's network was down for more than a week, according to other reports. Officials struggled to maintain operations after losing access to email and some patient data, relying heavily on fax machines and telephones. The hospital transported some patients to other facilities, and the equipment necessary for such functions as CT scans, lab work and pharmacy needs was offline.
Part of the reason healthcare organizations are such frequent targets is because many medical devices use older technologies that are more vulnerable to attacks. In 2017, one publication even dubbed medical devices “the next security nightmare.”
The Trend Micro report takes an in-depth look at the factors contributing to the prevalence of attacks in the industry. It notes that hospitals and other healthcare organizations often prioritize operations and efficiency over cybersecurity, leading to a lack of safeguards protecting digital assets. Many organizations, the authors say, simply lack the proper staff to handle digital threats and implement basic protection measures, such as two-factor authentication and encryption.
What's Behind Cybersecurity ROI?
Still, cost remains a concern when considering effective and meaningful cybersecurity solutions. While preventing a breach is typically more cost-effective than responding to a successful attack, the cost of effective cybersecurity systems remains a challenge.
Jigar Kadakia, chief information security and privacy officer at Partners HealthCare, addressed the economic challenges associated with cybersecurity at the joint HIMSS — College of Healthcare Information Management Executives (CHIME) cybersecurity forum in early 2018, saying that healthcare providers are often protecting their organizations “with fly swatters.” He pointed out that the challenge is exacerbated by the fact that talented cybersecurity professionals are frequently able to command higher salaries in other sectors, forcing the industry to groom and manage homegrown talent.
However, Kadakia also said that healthcare organizations can be convinced to loosen their purse strings when IT leaders make a compelling business case for cybersecurity investments.
“The financial people — the CFO and other folks — understand ROI,” he said.
Each year, healthcare organizations collect, store and share more patient data than they did the year before — the result of evolving bedside medical devices, clinician mobility tools and emerging Internet of Things use cases. More data means more potential jackpots for hackers, whose attack methods continue to evolve.
The cost of a data breach can be immense. Providers must alert patients and report the breach to the government, resulting in both a hit to the organization's reputation and the potential for steep fines.
Cybersecurity initiatives are also costly. Every dollar and hour spent on protecting data must come from some department's budget. By identifying and implementing solutions that are both effective and efficient, hospitals can keep patient data safe without bursting IT budgets.
Learn how to best prepare your healthcare organization for looming cyberthreats by reading the CDW white paper “Ensuring the Security of Patient Data.”