The pandemic’s impact and where healthcare cybersecurity is heading
Healthcare cybersecurity trends are demonstrating that cybercriminals are changing tactics and healthcare organizations must adapt to heightened and evolving threats. Here are six trends that we see shaping and informing the decisions, budgets, and priorities for healthcare.
Trend #1: Healthcare institutions weren’t meeting national security standards before the pandemic.
From 2005 to 2019, over 43 percent of all health data was compromised in data breaches. And, even in 2019, only 44 percent of healthcare institutions met national cybersecurity standards with declines in four of the five core functions outlined in the National Institute of Standards and Technology’s (NIST) framework, including identify, protect, respond and recover. NIST’s conformance scores demonstrates healthcare’s lack of cybersecurity preparedness with 64 percent of healthcare organizations below 80 percent conformance.
Of the healthcare organizations that had the highest NIST compliance, assisted living facilities scored highest at 96 percent; payers and accountable care organizations had the next highest compliance; business associates, hospitals, and health systems were only trailed by physician groups with lowest compliance at 20 percent.
Trend #2: Pandemic revealed and exposed new and increased cyber risk for healthcare.
The pandemic required healthcare to pivot quickly and ramp up virtual care and telehealth alongside remote work, which opened opportunities for cybercriminals to leverage vulnerabilities and hit healthcare when its IT and cyber resources were stretched thin. As the pandemic continues, cyberattacks were predicted to triple in 2021 with 73 percent of health systems, hospitals and physician organizations reporting that their infrastructures are still not prepared to respond. The survey results estimated that 1500 healthcare providers are vulnerable to data breaches of 500 or more records, representing a 300 percent increase over 2020.
The pandemic exposed the cyber risk in healthcare supply chains.
The pandemic uncovered that the decentralized nature of global supply chains can impact healthcare and increase the risk to care. The security of third-party suppliers also became a heightened risk.
A review of 100 healthcare provider cybersecurity assessments across the continuum, revealed that supply chain management was the second lowest-scoring and the least mature category assessed. Healthcare organizations with high-performing cybersecurity only scored an averaged 2.7 out of 5 for supply chain management. In fact, when it comes to supply chain security only 23 percent of assessed organizations passed. Issues with third-party risk management (TPRM) show that many still struggle to validate their vendors are meeting their contractual security commitments.
Remote work, telehealth, and increased email use increased cybersecurity risk.
Three technologies accelerated due to the pandemic – videoconference, remote email, and telehealth/virtual care. Forty-four percent of organizations surveyed adopted telehealth in the past year as a response to the pandemic. Today, 96 percent use email and 95 percent use telehealth. These are seen as high-security risks with 84 percent concerned about remote work/email and 70 percent concerned about telehealth as introducing risk that must be addressed.
Trend #3: Patient cybersecurity perceptions add more risk for healthcare.
One survey of 3,500 healthcare consumers, who had used medical or hospital services in the previous eighteen months, 93 percent would leave their providers if they believed their medical records or privacy were compromised, particularly if they thought the attack could have been prevented.
Consider that 80 percent of healthcare organizations have not had a cybersecurity drill with an incident response process in 2020. This is in the face of unprecedented cases of data breaches. Additionally, 26 percent of provider organizations believed their cybersecurity position had worsened, as compared to three percent in other industries, year-to-year.
With only 14 percent of hospitals and six percent of physician organizations confident that a 2021 assessment of their cybersecurity will show improvement over 2020, there is greater motivation when considering patient loyalty hangs in the balance.
Trend #4: Cybersecurity budgets are increasing but still inadequate.
Healthcare as a cyberattack target was increasing before the pandemic, but as care delivery and IT delivery models transform drastically, data security risks are elevated and healthcare is lagging in focusing budgetary and human resources towards proactive and preventative efforts.
While the healthcare industry is estimated to spend $134B on cybersecurity from 2021 to 2026 and $18B in 2021, 82 percent of health system CIOs and CISOs agree budgets have not been allocated effectively. Monies are often allocated only after breaches and without a complete assessment of capabilities and risks.
In 2019, 69 percent of c-suite executives stated that their health system’s budget for cybersecurity consulting was increasing to assess gaps, secure network operations, and user security on-premises and in the cloud. Additionally, spending on healthcare industry cybersecurity products and services have been trending up, averaging 21 percent year-over-year since 2017. Seventy-three percent say their organization needs to increase funding to maintain current security and compliance.
Trend #5: Ransomware and other top threats are increasing.
Ransomware is the number one topic amongst healthcare IT professionals. Microsoft’s recent report on how the healthcare threat landscape has shifted early in the pandemic through the summer, 2020 revealed that ransomware attacks were the most common attack method, increasing drastically in frequency and sophistication since the pandemic began. Remote work, a charged political climate, record prices for cryptocurrency, and threat actors weaponizing cloud storage and tools have all contributed to a new level of risk for healthcare organizations.
Today, ransomware has become a business ecosystem. Previously, ransomware was mostly conducted through phishing emails and malicious websites. Now, cybercriminals who establish a foothold inside an organization’s network can sign up for ransomware affiliate programs to earn money. Once they’ve proven they have access, they are given ransomware and share a portion of the profits with the software developers.
In 2020, these attacks cost healthcare $20.8B in downtime alone, which is a 200 percent increase over 2019. One research report found that 92 individual ransomware attacks occurred at healthcare organizations, including 600 clinics, hospitals and organizations. More than 18M patient records were impacted by these ransomware attacks, which was a 470 percent increase over 2019.
Trend #6: More legislation, more tools, but not enough CISO authority and education.
Legislation is ramping up.
More than 45 states plus Puerto Rico introduced or are preparing more than 250 bills or resolutions that deal specifically with cybersecurity. Most legislative activity centers around the following:
- Requiring government agencies to implement cybersecurity training; implement formal security policies, standards and practices; and practice security incident response.
- Increasing regulations in the insurance industry while specifically addressing cybersecurity insurance.
- Creating task forces, councils or commissions to study and advise on cybersecurity issues.
- Increasing support for programs and incentives for cybersecurity training and education.
Continuity tools are key for healthcare.
The U.S. Department of Health and Human Services (HHS) Office of the Assistant Secretary for Preparedness and Response (ASPR) ASPR TRACIE offer the following checklists to help healthcare organizations solidify operational continuity in the face of cyber incidents:
- Hospital Downtime Operations
- Hospital Downtime Preparedness
- Cyber Incident Response
- Cyber Incident System Restoration
For further support, download our white paper on business continuity and the Business Impact Analysis
CISO authority & solution knowledge needs.
Seventy-five percent of health system CISOs surveyed agreed seasoned cybersecurity professionals are unlikely to choose healthcare for their career path, mainly because healthcare CISOs are held responsible for a data breach and the financial and reputation impacts to the provider organization. This is true regardless of their level of authority and decisioning power.
Additionally, 51 percent of in-house IT managers surveyed, who have purchasing authority, reported that they and their team are not aware of the variety of cybersecurity solutions available and appropriate to their needs. This includes mobile security, intrusion detection and prevention, as well as forensics and testing across healthcare settings.
Lastly, more education is needed: 40 percent of all clinical hospital employees received little or no cybersecurity awareness training in 2020. Fifty-nine percent of health system CIOs are shifting security strategies as user authentication and access became the main tactic to gain access. Fifty-three percent of health systems surveyed said hackers are more frequently using cloud misconfigurations to breach networks.
Where should you focus cybersecurity effort and budget now?
Every healthcare organization needs to take a fresh look at their cybersecurity priorities in light of pandemic trends, as well as operational, business, and patient care objects and their data risk implications. Our CyberLean approach does that in the most focused, risk-based, and budget-efficient way possible.