A New Cybersecurity Commitment in Healthcare

In today’s complex healthcare environment, enterprise leaders across all industries face potential cybersecurity threats from adversaries such as nation-state actors, hacktivists, and financial criminals as well as from vulnerabilities that pass through connected systems.

Some of the most attractive targets for cybercriminals are found throughout the healthcare industry, with hospital systems and healthcare providers being the most vulnerable due to production of massive amounts of data that have high monetary and intelligence value.

Cyberattacks come at a high price to patients by impacting the delivery of care, sometimes even requiring diversions of patients from an impacted hospital, and cost substantially more than the reputation of the health system. Healthcare cybersecurity infrastructure can also lag behind other industries in perimeter defense, maturity of cybersecurity defense, and the adequate cybersecurity training needed to protect against threat actors.

In 2022, cyberattacks and healthcare data breaches affected more than 50 million Americans — with the healthcare industry having the highest average cost per breach ($10.1 million) over the previous 12 years. With the growth of healthcare digitization and connected medical devices, that trend is expected to continue. Each connected medical device opens the door for bad actors to intercept data, infiltrate the network, and potentially launch ransomware and malware across it.¹

Cybersecurity Investments in Healthcare

Across a rapidly evolving security landscape, health system executives are prioritizing cybersecurity investments as their organizations’ digital and IT budgets for this year have increased. This is the overarching message from Guidehouse's 2024 Health System Digital & IT Investment Trends report, which is based on a Healthcare Financial Management Association survey of 144 provider CFOs and executives. We examined investments across a wide variety of technology priorities, and the message from leadership was that cybersecurity is top of mind this year.

Some key findings:

• More than half (55%) of the survey respondents cited cybersecurity as their top investment priority for 2024
• More than 85% said they expected their organization’s digital and IT budgets to increase in 2024, with nearly half anticipating moderate to significant increases
• One-third mentioned new or expanding relationships with outsourcing partners and digital/IT department restructuring as top shifts
• More than half cited the need for resources and operational implementation assistance to make their digital and IT investments succeed
• Nearly a quarter reported the lack of a comprehensive business case or implementation plan for their investments

Understanding Related Megatrends

While leaders must react to the growing impact of cyberattacks on their finances and reputation, they simultaneously need to shift from investing in technology to focusing on the larger realm of operational security (including training, automation, and augmented cybersecurity investments). Healthcare leaders are now realizing that more investment doesn’t necessarily equate to more efficient or effective security.

To preserve security in the current environment, organizations require in-depth knowledge of not only cybersecurity, fraud, and sanctions, but also the overlapping, related megatrends that require specific expertise to execute effective, practical solutions and navigate these interconnected challenges. As technology has levelled the playing field and new adversaries threaten multinational corporations, healthcare organizations, and government agencies alike, enterprises must reengineer risk management thinking and strategies. This requires leaders to evolve their risk management posture to keep initiatives and programs, critical infrastructure, and intellectual property out of danger.

That means leaders must invest in people who understand healthcare cybersecurity and its significant impact on the broader healthcare IT landscape and strategy. Healthcare organizations also need the capabilities to understand how service lines integrate, what the touchpoints for patient data are, and where silos exist that could impact standardization of healthcare cybersecurity standards.

Accessing Tools and Resources

Investments in AI, automation, and new technology approaches such as a cybersecurity mesh — where existing security and compliance investments can be better utilized — will be critical in augmenting current cybersecurity measures.

Healthcare organizations are increasingly looking at cybersecurity workforce on-demand options through outsourcing, managed services contracts, and increased augmented intelligence investment in areas such as perimeter defense to strengthen their internal workforce capabilities.

They can also rely on such frameworks as the U.S. Department of Health and Human Services 405(d) Program to build up their capabilities without investing heavily in cybersecurity labor.² In 2023, the program launched a new “Knowledge on Demand” platform to provide free cybersecurity training to the health sector workforce, and it released two helpful publications: “Health Industry Cybersecurity Practices, 2023 Edition” and “Hospital Cyber Resiliency initiative Landscape Analysis.”

Strengthening Cybersecurity Strategy

It’s time for healthcare organizations to build C-suite security leadership expertise, increase investments in maturing core security processes, strengthen governance structure accountability, and mesh their cyber and compliance investments. This year’s cybersecurity initiatives should focus on:

• Evaluating cybersecurity strategy overall, from the cybersecurity operational and workforce model to how cybersecurity investments are aligned and measured against organizational goals
• Building the cybersecurity governance maturity needed to integrate security as a topic into C-suite discussions
• Modularizing security functions and enabling them to interoperate through a set of supportive layers in a cybersecurity mesh architecture
• Implementing zero-trust, least privilege, and multi-factor authentication as core cybersecurity tactics to firm up the people and processes involved in cybersecurity in every healthcare organization
• Driving return on investment by consolidating key security functions on single security platforms such as Palo Alto Networks, SentinelOne, or CrowdStrike
• Reducing administrative burdens through such actions as automating audit data collection and incident response workflows and using augmented intelligence to identify indicators of compromise