Healthcare Organizations Must Balance Cybersecurity with Other Priorities
The American Hospital Association recently described a ransomware attack on a hospital as “crossing the line from an economic crime to a threat-to-life crime.”
And yet, ransomware attacks against healthcare organizations – including those serving some of the world’s most vulnerable patients at children’s hospitals – continue to persist. Healthcare data is among the most coveted by cybercriminals, and fetches as much as $1,000 per record (comparatively, Social Security numbers are valued at $1). So, it’s no surprise that hacktivist group Killnet has targeted hospitals in every U.S. state.
Key findings from the new Porter Research study
- 100% of leaders across partner, payer, and life sciences organizations cited “growing hacker sophistication” as the primary driver behind the increase in ransomware attacks
- 81% of those leaders rely on basic methodologies, such as email filtering and firewalls, as their primary defense mechanisms against cyberattacks
- 60% of leaders are “less than fully confident” in the technologies they use to prevent and mitigate ransomware attacks
Leaders are less than confident
A new study from Porter Research confirms that the recognition of the increasing severity and frequency of attacks within their industry — and the high stakes surrounding them — is not lost on healthcare leaders.
The preeminent IT and healthcare market research company — using quantitative and qualitative data from late 2022 and early 2023 — found that across provider, payer, and life sciences/pharmaceutical companies, more than half of leaders are “less than fully confident” in the technologies they use to prevent and mitigate ransomware attacks.
The Porter Research study also found that 85% of leaders place mitigating cyberattacks as a high or very high priority, and 82% plan to increase their investments aimed at preventing and mitigating ransomware attacks. Given ongoing pandemic-related challenges affecting the breadth of the healthcare ecosystem — including smaller margins and staffing challenges — the prioritization of investment in infrastructure security is especially notable.
I think many healthcare organizations struggle to balance the resources they need to protect their organizations with the resources they need to support high-quality care, and changing government regulations.
When you couple this with the rigidity of legacy systems and a lack of focus on cybersecurity for several years, it is very hard to catch up to the level of sophistication that today’s cyber criminals have.”
— U.S. healthcare executive and Porter Research survey respondent
A panoply of priorities
For many healthcare organizations, the pandemic was the catalyst to push forward their digital transformation. IMD Global Center for Digital Transformation notes in its annual Digital Vortex report the acceleration of healthcare and pharmaceuticals from the outward, lagging perimeter to the middle of its vortex among 13 other industries (including media and retail) in just two years.
But that has led to some growing pains when it comes to balancing competing priorities, like an increasingly complex regulatory landscape. The extraordinary number of legacy systems in most healthcare organizations often yields decreased visibility across those organizations. Exacerbating those challenges is the growing use of bolt-on solutions or the use of external vendors to expand capabilities and operational efficiencies.
At the end of last year, the Department of Health and Human Services (HHS) reported that 50% of the 10 largest healthcare-related data breaches in 2022 were caused by vendors or business associates.
At the end of [2022], the Department of Health and Human Services (HHS) reported that 50% of the 10 largest healthcare-related data breaches in 2022 were caused by vendors or business associates.”
More attacks of increasing sophistication
Porter Research found that more than half of provider executives surveyed experienced a cyberattack in the past three years — a number that could actually be higher, given respondents' clearance (or lack thereof) in their organizations, and the HHS reporting threshold (500 patients or more). Among respondents in the life sciences and pharmaceutical industries, 36% reported a known breach — and 27% of health insurance payers also noted having experienced an attack in the period between 2019 and 2022.
The Porter Research study found that 100% of leaders across partner, payer, and life sciences organizations cited “growing hacker sophistication” as the primary driver behind the increasing number of successful attacks. Those findings are supported by Microsoft’s recent Digital Defense Report, which notes that the primary goals of phishing and email compromise have evolved from basic malware to ransomware and credential harvesting.
Notes Chris Jenkins, Chief Digital Officer of the FBI, “The core cybercrime method, which is phishing, hasn’t changed, but the sophistication of [methods] has.”
Prevention is the best medicine
In healthcare, prevention is often the best medicine. As it turns out, that philosophy is increasingly being adopted by healthcare IT leaders for the health and sustainability of their physical systems and broader ecosystems.
An overwhelming majority of the Porter Research study respondents noted that to meet the increasing sophistication of attackers, they will dedicate more resources to cybersecurity than ever before. Over the next few years, 87% of payer organizations, 80% of life sciences/pharmaceutical organizations, and 78% of healthcare provider organizations plan to continue to invest in cybersecurity.
That’s a wise investment, considering the financial and clinical implications of organizational downtime. IBM notes that healthcare has had the highest breach-related financial damages for 12 consecutive years, now averaging $10 million dollars per attack.
Taking basic protection to the next level
Porter Research noted that what’s prioritized and what specific solutions are coming next varies across payers, providers, and life sciences organizations.
“The landscape of approaches is broad but not deep,” the researchers wrote, further noting that 81% of the surveyed leaders are currently relying on basic methodologies, such as email filtering and firewalls, for their primary defense mechanisms against cyberattacks.
One executive said that healthcare organizations have had “a lackadaisical attitude for quite a while” toward cybersecurity. “Now it’s like we’re having an ‘o-my-god’ realization, that we have to do this, and we have to catch up’ with other industries’ postures.”
Resource investment in infrastructure
To keep pace, Porter Research noted, payers and providers are prioritizing resource investment into infrastructure enhancement. Those methods include segmentation tools, DDoS protection, authoritative DNS, and global load server balancing. Cloud compute and performance (including serverless edge computing) was ranked second by providers and payers, but first by pharmaceutical and life sciences companies.
That comes as little surprise to Cynthia Porter, founder of Porter Research, who wrote, “We are constantly speaking with IT leaders within healthcare organizations who are struggling to balance the investments needed to keep their organizations secure while also advancing their digital transformation strategies.
“We see some segments have deeper pockets available for investments in security and innovation, while other segments fall further and further behind. Aligning with the right security partner that can adapt to your specific needs and constraints has never been more important to all healthcare organizations.”
The need for a trusted partner
One study respondent noted that addressing the “huge momentum and acceleration” across the ecosystem means enhancing security with a trusted partner for their organization and others. “People are realizing they have this huge effort to deliver, and they have to outsource or increase resources and tools fast. They're turning more to technologies and companies. That's all these companies do, and they do it at scale.”
