The healthcare sector is one of the industries most targeted by cybercriminals, who exploit the sensitive and valuable data of patients, providers, and payers. According to a recent report by IBM, the average cost of a data breach in healthcare was nearly $11 million in 2023, the highest of any industry. Moreover, the digital transformation of healthcare systems has increased the complexity and exposure of their IT infrastructure.
Current Cybersecurity Challenges in Healthcare
Healthcare provider organizations face a variety of cybersecurity challenges, such as:
- Ransomware attacks: These are malicious software that encrypt the data of the victim and demand a ransom for its decryption. Ransomware attacks can cripple the operations of healthcare facilities, endanger patient safety, and compromise patient privacy. According to a report by cybersecurity firm Sophos, 60% of healthcare organizations were targeted with ransomware attacks in 2022. Ransomware attacks can have devastating consequences for patients, who may face delays, errors, or denial of care, or even lose their lives.
- Phishing attacks: These are fraudulent emails that trick the recipient into clicking on a malicious link or attachment, or providing sensitive information. Phishing attacks can lead to data theft, identity fraud, and malware infection. Proofpoint’s 2024 “State of the Phish” report revealed that “71% of surveyed organizations experienced at least one successful attack in 2023.” Phishing attacks can expose the personal and medical information of patients, who may suffer from identity theft, financial loss, or emotional distress.
- Insider threats: These are unauthorized actions by employees, contractors, or partners that compromise the security of the organization. Insider threats can be intentional or unintentional, and can result from negligence, malice, or coercion. Telecom giant Verizon reports that insider threats accounted for 70% of data breaches in healthcare in 2023, the second highest of any industry. Insider threats can damage the reputation and trust of the organization, as well as the morale and productivity of the staff.
The Importance of Response and Recovery Capability
While prevention is a crucial aspect of cybersecurity, it is not enough to protect healthcare provider organizations from cyberattacks. No matter how robust the security measures are, there is always a possibility of a breach. Therefore, healthcare organizations need to focus on response and recovery capability, which is the ability to detect, contain, analyze, and remediate a cyber incident, as well as restore normal operations and mitigate the impact.
Response and recovery capability can help healthcare organizations to:
- Reduce the downtime and disruption caused by a cyberattack, which can affect patient care, revenue, and reputation.
- Minimize the financial and legal consequences of a data breach, which can include regulatory fines, lawsuits, and loss of trust.
- Learn from the incident and improve the security posture and resilience of the organization.
- Lower the costs of cyber insurance coverage, which have increased significantly due to the rising number and severity of cyberattacks on healthcare. Insurance companies may begin to offer discounts or incentives for healthcare organizations that can demonstrate well thought out prevention and recovery strategies.
How to Build Response and Recovery Capability
Building response and recovery capability requires a proactive and far-reaching approach that involves people, processes, and technology. Key steps include:
- Establishing a cyber incident response team (CIRT) that consists of representatives from different functions, such as IT, legal, compliance, communications, and business units, as well as key vendors and partners that provide essential services or support to the organization. The CIRT should have clear roles and responsibilities, as well as the authority and resources to respond to a cyber incident.
- Developing a cyber incident response plan (CIRP) that defines the objectives, scope, procedures, and tools for responding to a cyber incident. The CIRP should be aligned with the organizational goals, policies, and standards, as well as the regulatory and industry best practices.
- Conducting regular training and testing of the CIRT and the CIRP, to ensure that they are updated, effective, and ready to handle a cyber incident. Training and testing should include simulations, drills, exercises, and audits, as well as feedback and improvement mechanisms.
- Implementing appropriate technologies and tools that can facilitate the detection, analysis, containment, and remediation of a cyber incident. These can include security information and event management (SIEM), endpoint detection and response (EDR), threat intelligence, and backup and recovery solutions.
- Leveraging cloud computing as a part of the recovery strategy, as it can provide scalable, flexible, and cost-effective server and storage capacity to restore the data and systems affected by a cyberattack.
- Ensuring that clinical and business departments have well developed and practiced plans to continue to care for patients and conduct the business of the hospital during any system unavailability, including a cybersecurity incident. These plans should include alternative methods of communication, documentation, and service delivery, as well as contingency procedures for critical and urgent cases.
Cybersecurity is a critical issue for healthcare provider organizations, as they face increasing and evolving cyber threats that can jeopardize their operations, data, and reputation. While prevention is essential, it is not sufficient to ensure the security and resilience of healthcare systems. Healthcare organizations need to focus on response and recovery capability, which can help them to prepare for and overcome cyberattacks, as well as to learn and improve from them.
Assistance and fact-checking provided by Microsoft Copilot.
Ready to enhance your response and recovery capability?
We can help assess your current security posture, design and implement a comprehensive response and recovery strategy, and provide ongoing support and guidance in combating cyber threats.
Meet the Author
Joe Grinstead | Chief, US Operations
Joe brings 20 years of HIT experience within the application and technology sectors to the Team. Throughout his career, he has been highly regarded for his versatility and his ability to comprehend and analyze operational, clinical, and technical concepts. He has worked with representatives at all management levels, throughout the entire healthcare spectrum including provider, consulting, and IT services. Visit Joe on LinkedIn.