At the end of March, the U.S. Department of Health and Human Services discussed its plans to create a centralized resource to help improve cybersecurity coordination for healthcare.
These plans come amid the fallout from the Change Healthcare cyberattack that rocked the industry when it was announced in February. An American Hospital Association survey conducted in early March found that 94 percent of responding hospitals saw a financial impact from the incident. U.S. government officials have ramped up scrutiny of the industry’s cybersecurity practices in recent weeks.
“Organizations need to operate under the assumption that they’ll be breached at one point or another,” Buck Bell, who leads CDW’s Global Security Strategy Office, said as part of recent CDW research with IT leaders. “In a sense, that’s the entire basis of the zero-trust push that we’ve been seeing over the past couple of years, the idea that you may have already been compromised.”
At this point, there is still more to learn from this serious, wide-reaching cyberattack. It was certainly top of mind when healthcare leaders met in March for the 2024 Healthcare Information and Management Systems Society global conference and exhibition in Orlando, Fla.
It was a reminder that cybersecurity, and cyber resilience, remain priorities for healthcare organizations. As Hackensack Meridian Health CISO Mark Johnson said during his HIMSS24 presentation, “If you’re standing still in cyber, you’re getting left behind.”
Click the banner below to read the 2024 CDW Cybersecurity Research Report.
Connecting Cybersecurity to Your Strategic Mission
Today’s healthcare environments aren’t restricted to inside hospital walls. With virtual care, remote patient monitoring and increasing digital access points, healthcare organizations manage a complex, interconnected ecosystem. Healthcare continues to evolve to meet patient expectations for accessible care, and that requires connectivity and interoperability that can make for persistent cybersecurity challenges.
“The more holistic view you have of the enterprise as a whole — not only the specific cyber risk itself but the business impacts that are associated with it — typically the more successful you’re going to be in your cyber resilience aims,” Bell said. “From my perspective, cyber risk is business risk.”
When it comes to justifying cybersecurity investments to the C-suite, 35 percent of healthcare IT leaders said that showing the cost of a data breach, such as in loss of sales and productivity, has been very effective for obtaining funding, according to CDW research.
RELATED: Staff shortages are impacting healthcare cybersecurity strategies.
Hackensack Meridian Health leaders echoed this finding when they shared lessons from a 2019 ransomware attack, which prompted increased cybersecurity funding, more proactive leadership security and third-party risk management for the New Jersey-based health system.
“Every leader in every organization is a risk manager. They make risk decisions every day,” said Christopher Jurs, director of identity governance and cybersecurity planning at Hackensack Meridian Health, during his HIMSS24 session.
But as healthcare matures its zero-trust security strategy, which has gained momentum in recent years with the push for adoption by federal agencies, barriers remain. Nearly 50 percent of healthcare IT leaders said that the integration of legacy tools is a top challenge for implementing zero-trust principles, followed by establishing an effective zero-trust strategy in the first place (45 percent) and meeting cultural resistance from users (32 percent).
Difficulties with Integration for Healthcare Cybersecurity
When it comes to factors that are still missing from an organization’s approach to cybersecurity, healthcare IT leaders named insufficient or ineffective employee security training, a lack of budgetary resources and inadequate threat detection as top reasons, according to CDW research. However, about 47 percent of IT leaders said that they are very confident that they have sufficient visibility into their current cybersecurity landscape.
That seems to align with the experiences of some healthcare organizations that are maturing their network monitoring and device management approaches. Health systems often have to manage hundreds or even thousands of devices, from MRI machines, glucose monitors and infusion pumps to smartphones and tablet devices. California-based El Camino Health, for example, has more than 30,000 endpoints, Deputy CISO Lawrence Smith said at HIMSS24.
Still, the integration of security tools remains an area for improvement. About 33 percent of healthcare IT leaders said that they’re finding it somewhat difficult to integrate all of the security tools that they are using, according to CDW research.
“We talk a lot about rationalizing tool sets, and the way you rationalize is you look at the overlapping functionality that you have in play,” said CDW Vice President of Security Stephanie Hagopian. “Are there ways to deprecate overlapping functionality? If so, deprecate and consolidate, and then use that money you’re saving to invest in the places where you have a gap.”