Last year, healthcare set a new record, but it’s not one to be proud of. In 2023 there were 725 large security breaches reported to the Department of Health and Human Services. This indicates a cybersecurity problem in the healthcare industry, affecting millions of people and costing billions of dollars.
Healthcare Data Breaches
A healthcare data breach is when a patient’s protected health information (PHI) is used or disclosed in a way that compromises the patient’s privacy or security. From the perspective of a healthcare user, which we all are, our data is valuable information. Each breach goes beyond costing the healthcare company money and adds a cost to the individuals who were impacted as well.
The 11 largest breaches of those 725 affected over 70.3 million individuals. That was triple the same measures from 2022. Each breach averages a cost of $10.93 million, which is the most expensive breach of any other industry. In comparison, pharmaceutical industry breaches are averaging $4.82 million per breach which is 44% of the cost of each healthcare industry breach.
A single breach is devastating for a healthcare organization and the people affected. Even with healthcare organizations spending an average of 7% of their budgets on cybersecurity, the results aren’t changing.
Whether you are an organization that is proactively searching for solutions or an organization managing the fallout of a data breach, Untangle Health is here to help navigate the risky world of cybersecurity for healthcare organizations. We eliminate the noise behind the cyber attack scare and the cyber buzzwords and focus on the solutions that will make your organization resilient.
Exposure and Vulnerabilities Started Years Ago
In 2021, the HHS Cybersecurity Program published a retrospective look at healthcare Cybersecurity breaches, threats, and learnings from 2020. This report highlighted ransomware, data breaches, and the significant impact of the COVID-19 pandemic.
In a rapidly digitizing healthcare market and the confusion felt around the world about what to do next, the sudden shift to remote work left our healthcare data and systems vulnerable and exposed. For example, we saw this when organizations moved to online meetings, calls, and conferences. Looking back, many organizations did not even have a Zoom license. They also had no VPN, MFA, RBAC, or other security best practices in place for this sudden switch to virtual conversations and remote work. It is easier to see how those vulnerabilities from 2020-2021 have snowballed into the breaches happening in 2023.
Is Being HIPAA Compliant Enough?
Healthcare companies can no longer afford to depend only on “HIPAA Compliant, SOC Certified, HITRUST” solutions offered by healthcare IT vendors.
In 2023, 12% of healthcare data breaches originated from software vendor vulnerabilities. Even worse, those attacks originating from vendors cost 8.3% more and took 8.9% longer to identify than any other type of breach. The historical approach of shifting risk to vendors has led to complacency, with BAA-derived pecking orders creating a false sense of security for organizations’ legal teams.
While the check-the-box approach helps procurement move faster, without pulling in the experts to understand the nuance of each vendor, there will be blind spots and the aggregate portfolio of vendors is harder to assess as a whole.
In a post-mortem, when a breach does occur, some discovery and troubleshooting will be entirely net-new, due to the “compliant” solutions being waved through procurement. Having a set of HIPAA-compliant vendors is not enough. Organizations need a holistic resiliency strategy and security posture, with a deep understanding of each player within their ecosystem.
Why Does Healthcare Cybersecurity Matter?
There is an expectation from all sides that a healthcare organization is overseeing and managing its own cyber risk. However, many healthcare organizations don’t know what a comprehensive cyber strategy consists of. In the age of data moats and proprietary models, cybersecurity should be an organizational imperative to protect your data and your customer’s data.
Beyond the loss of data, breaches and attacks damage brands, lose customer trust, can impact payroll, and can negatively impact operations and patient care delivery. A full cyber security plan encompasses more than vendors, it includes operations, infrastructure, and personnel that are part of the organization.
Untangle Health consults and assists organizations with creating and implementing effective cybersecurity plans. We know that “securing data” is a foundational component of our Healthcare Data Value Chain. A strong, defensible, and secure ecosystem protects the work with interoperability, APIs, and cloud transformation — where legacy and “frankensteined” systems remain exposed.
With technology changing so quickly, it’s difficult for an organization to keep up with the required policies and implement effective measures. In our experience, most healthcare organizations struggle to handle a comprehensive cyber risk strategy in-house, and cyber insurance is catching on.
Cyber Insurance for Healthcare
Organizations are seeing rising premiums because of the lack of ability to manage the full scope of organizational risk. Cyber insurance costs for healthcare have seen double-digit premium increases since 2019, mostly due to an increasing number of healthcare companies that don’t have the resources to protect their systems.
In addition to rising costs, one of the growing challenges for healthcare organizations is facing increasingly complex requirements even to get coverage in the first place.
Lessons From Other Industries
Healthcare is lagging behind other industries in cybersecurity, but no one is safe or excused from this discussion. Even while we work to advance our cybersecurity technology, cybercriminals are getting more savvy.
However, we can learn valuable lessons from others who have to protect sophisticated systems and user data from breaches, such as the financial sector. The financial sector, despite decades of challenges, has reached more advanced levels on the cybersecurity maturity curve.
Financial institutions have addressed challenges by bringing cybersecurity into the boardroom. They have created specialized technology committees, used risk-based metrics to manage cybersecurity, and ensured that decision-makers have the appropriate expertise to navigate the challenges posed by security breaches.
As a partner in helping healthcare organizations develop cyber resiliency strategies, we know that organizations can draw valuable insights from the initiatives that have proven successful in the financial sector.
What Can You Do Now?
Creating a stronger cybersecurity framework may feel daunting, but it’s not something any organization should delay when you consider the consequences that a data breach has for your customers and you. Here are a couple of areas that Untangle Health recommends you consider right now:
- As you conduct your annual vendor review or bring on new vendors, go deeper than asking if each vendor has the HITRUST/SOCII/HIPAA/etc. boxes checked. While these certifications are leading indicators of readiness and competence, they are not the full picture. A comprehensive risk registry is updated frequently and should encompass risks to key vendors as they may hold two-legged keys to your core systems. Get ahead of cybercriminals and threat actors by implementing effective resiliency procedures and the latest technologies and tools. After decades of point-to-point connections, managing security through an API gateway is reactive and outdated.
- Consider implementing API behavioral analysis, three-legged RBAC, zero trust, reverse proxies, and other tools to obscure your systems to the outside, obscure your data in transit and at rest, increase the specificity of system access, and continually evaluate your partners’ traffic for problematic patterns. Tomorrow’s requirements are today’s best practices – the tools are out there and are already protecting governments and financial institutions, let’s learn from them.
- Ask for help if you need it. Cyber never sleeps and is a constantly changing environment. Our work securing the healthcare data value chain has opened our eyes to the key strategies that every organization should implement, and the cutting-edge strategies that will become table stakes tomorrow. We also partner with some of the most sophisticated cyber leaders, and we are humble enough to ask for help (and we do, frequently.)
Failing to safeguard the digital healthcare landscape exposes us all to catastrophic risk, disruptions, and compromised customer and patient trust. Instead, foster a proactive security mindset, embrace innovation, and maintain an unwavering focus on securing your digital assets.
You do not need to be the next statistic. If you do not know where to start, remember that cyber is a team sport and we are part of that team. Untangle Health can help you build a resiliency strategy that will secure your organizational data and implement the right partnerships in healthcare technology for your Healthcare Data Value Chain.