The pandemic has increased pressure on health systems to cut costs and protect margins. However, putting cyber-security programs on the list of potential cost-cutting targets could be a risky proposition.
The increased vulnerability of hospitals, health systems, and physician practices is likely due to changes in how and where healthcare is delivered, as well as the following:
- As healthcare has the highest industry average cost per incident, threat actors see the value in healthcare data.
- Virtual working arrangements will likely continue for some healthcare staff, which could increase attack perimeters as sensitive patient information is shared remotely.
- Although adoption of connected medical devices can be critical to patient care, these technologies could introduce new attack vectors for cyber-criminals.
More insidious acts are on the rise – particularly those involving the introduction of malware through third-party software, as exemplified by the recent SolarWinds attack.
Healthcare organizations are certainly aware that, when it comes to being breached, it is not a matter of if, but when. And, the financial fallout from incidents is higher than in other industries. Therefore, healthcare boards and audit committees are advocating for more aggressive cyber-security measures. And the healthcare industry is heeding that call: Over the next five years, healthcare organizations are expected to invest billions in cyber-security measures, although it is important to note that healthcare’s cyber-security investments still trail many other industries.
This paper seeks to guide your healthcare organization on how to allocate cyber-security budgets to the areas with the most value by: (1) identifying and assessing key areas of vulnerability, (2) establishing our recommended three lines of defense cyber-security approach; (3) balancing response and remediation planning with prevention; and (4) taking first steps to assess cyber maturity and begin to align programs with an increasing threat landscape.