The Cost of Cybersecurity in Healthcare
Most stakeholders acknowledge that cybersecurity remains a top priority for healthcare organizations. Here is some advice for getting everyone together to address risks and properly prepare to prevent evolving threats.
- by Calvin Hennick
- Business and technology journalist | June 27, 2018
It is impossible to separate cybersecurity efforts from dollars-and-cents concerns. Healthcare organizations have limited resources available for technology, and at most organizations, cybersecurity only accounts for a small minority (4 to 7 percent) of total IT budgets.
After organizations suffer a major breach, it's usually a simple task to convince executives to beef up cybersecurity solutions. But for hospitals, clinics and other healthcare providers that have escaped major incidents, it can prove difficult to persuade stakeholders outside of the IT and IS departments to view cybersecurity as a top priority. They may believe that, because patient data has remained safe thus far, the existing tools and processes must be working. How can IT and security professionals convince other stakeholders to improve an organization's security posture before it's too late?
Reframe the Conversation
One way to garner C-suite buy-in on the importance of data security is to frame it as an investment rather than a cost. For instance, when the new CIO of a medium-sized academic medical center convinced other executive leaders of the importance of security, they invested nearly $8 million on cybersecurity assessments, investments and remediation, including three new full-time staff. To convince them, he demonstrated the potential cost of a successful breach — not only fines and lawsuits, but a hit to the organization's reputation among patients and the larger community.
As it happens, the health center suffered a small breach about six months into the new CIO's tenure. The breach, which affected about 3,000 patients, was caused by an error rather than a hack. Because the organization could demonstrate its remediation plan, it suffered no fines.
Behind the Numbers
When presented with broader industry numbers about the costs of cyberbreaches, most stakeholders will be forced to acknowledge that insufficient early investment in security could be costlier in the long term. A report about cyber claims (PDF) notes that healthcare claims made up only 17 percent of total cyber claims in 2017, yet those claims accounted for 28 percent of total breach costs, which suggests that successful attacks on healthcare providers cost organizations more than breaches in other industries.
According to the report, on average, 1.6 million records were exposed in a healthcare breach. Breaches that exposed personally identifiable information were far more common (5.2 million records) than breaches that exposed protected health information (386,000 records).
The industrywide numbers are even higher. In its 2017 report on cybercrime in healthcare (PDF), Trend Micro estimates that cyberattacks against hospitals, clinics and doctors cost the U.S. healthcare industry more than $6 billion each year, with an average breach costing a hospital $2.1 million.
Often, the headline-making dollar amount is far lower. For example, when Hollywood Presbyterian Medical Center suffered a ransomware attack in 2016, it was widely reported that the hospital paid the equivalent of $17,000 in cryptocurrency to regain access to its data. While this number may seem manageable, it fails to consider the lost productivity of clinicians or the resulting public relations fiasco. The hospital's network was down for more than a week, according to other reports. Officials struggled to maintain operations after losing access to email and some patient data, relying heavily on fax machines and telephones. The hospital transported some patients to other facilities, and the equipment necessary for such functions as CT scans, lab work and pharmacy needs was offline.
Part of the reason healthcare organizations are such frequent targets is because many medical devices use older technologies that are more vulnerable to attacks. In 2017, one publication even dubbed medical devices “the next security nightmare.”
The Trend Micro report takes an in-depth look at the factors contributing to the prevalence of attacks in the industry. It notes that hospitals and other healthcare organizations often prioritize operations and efficiency over cybersecurity, leading to a lack of safeguards protecting digital assets. Many organizations, the authors say, simply lack the proper staff to handle digital threats and implement basic protection measures, such as two-factor authentication and encryption.
What's Behind ROI?
Still, cost remains a concern when considering effective and meaningful cybersecurity solutions. While preventing a breach is typically more cost-effective than responding to a successful attack, the cost of effective cybersecurity systems remains a challenge.
Jigar Kadakia, chief information security and privacy officer at Partners HealthCare, addressed the economic challenges associated with cybersecurity at the joint HIMSS — College of Healthcare Information Management Executives (CHIME) cybersecurity forum in early 2018, saying that healthcare providers are often protecting their organizations “with fly swatters.” He pointed out that the challenge is exacerbated by the fact that talented cybersecurity professionals are frequently able to command higher salaries in other sectors, forcing the industry to groom and manage homegrown talent.
However, Kadakia also said that healthcare organizations can be convinced to loosen their purse strings when IT leaders make a compelling business case for cybersecurity investments.
“The financial people — the CFO and other folks — understand ROI,” he said.
Each year, healthcare organizations collect, store and share more patient data than they did the year before — the result of evolving bedside medical devices, clinician mobility tools and emerging Internet of Things use cases. More data means more potential jackpots for hackers, whose attack methods continue to evolve.
The cost of a data breach can be immense. Providers must alert patients and report the breach to the government, resulting in both a hit to the organization's reputation and the potential for steep fines.
Cybersecurity initiatives are also costly. Every dollar and hour spent on protecting data must come from some department's budget. By identifying and implementing solutions that are both effective and efficient, hospitals can keep patient data safe without bursting IT budgets.
An Expanding Threat Landscape
When hackers lay their eyes on the sort of sensitive personal data collected and protected by hospitals and other healthcare organizations, they see dollar signs.
On the black market, a single credit card number might only fetch a price of 50 cents because there's a short window of time in which to exploit the compromised data before a financial institution recognizes the breach, invalidates the account and issues the victimized customer a new payment card.
Hospitals, however, collect information that can't be changed: Social Security numbers, birthdates, current and past addresses, next of kin. Because of its permanent nature, criminals can continue to exploit such compromised data for years, using the information to steal victims' identities for financial gain. Consequently, a single stolen record can command a price approaching $100. For obvious reasons, those circumstances mean that hospitals are a hugely attractive target for hackers.
According to the 2018 Healthcare Information and Management Systems Society (HIMSS) Cybersecurity Survey (PDF), 76 percent of healthcare organizations surveyed experienced a “significant security incident” in the 12 months prior — attacks that resulted from a wide variety of attack methods and motivations. The plurality of those incidents (38 percent) stemmed from online scam artists engaging in activities such as phishing and spear phishing. Negligent insiders — well-meaning personnel with trusted access who inadvertently trigger a data breach — accounted for 21 percent of incidents, according to the HIMSS survey. Healthcare organizations face fines for breaches that don't involve external actors. Most internal hospital breaches resulted from healthcare insiders looking up information about family members, friends, neighbors and acquaintances without authorization.
Meanwhile, the HIMSS survey found that hackers were responsible for 20 percent of breaches, and nation state actors, hacktivists, social engineers and malicious insiders each accounted for between 2 and 5 percent of breaches. CDW's Cybersecurity Insight Report notes that last year's WannaCry virus, a “virulent strain of ransomware,” spread across organizations' networks by exploiting vulnerabilities in Windows computers, causing billions of dollars in damages and “crippling” healthcare facilities throughout Britain.
Learn how to improve your healthcare organization's security posture by reading the CDW white paper “Ensuring the Security
of Patient Data.”