For health care organizations, a cybersecurity attack is not a matter of “if,” but “when"

RSM’s special report on cybersecurity described cybercriminals’ relentless pursuit of data and sensitive information that led to record levels of several types of attacks in 2021. The COVID-19 pandemic altered the threat landscape due to the large-scale shift to a remote work environment and more dependency on the internet to increase worker access and maintain productivity during shutdowns and stay-at-home orders. Criminals were quick to take advantage of vulnerabilities, unleashing a host of attacks ranging from malware and viruses to targeted social engineering and phishing attacks across industries.

Some of the most notable cyberattacks in the last year were against health care organizations. What makes the threat unique for these organizations is that they are charged not only with protecting their own networks and databases from attack, but also with safeguarding patient information, a valuable commodity on the dark web.

Healthcare IT News, a HIMSS Media publication, found that more than 40 million patient records were compromised in 2021 by incidents reported to the federal government. The use of connected medical devices, which include tools to track crash carts, ventilators and vital sign monitors, has increased exponentially over the last decade. Sadly, these devices are targets for cybercriminals because they often lack adequate security controls.

One of the largest reported cyberattack incidents, a health insurance plan provider breach affecting 78.8 million people, was caused by a phishing email that was opened by an employee and infected 90 different systems within the company. The impact of such breaches on both organizations and individuals is tremendous, and the costs of remediating them are staggering. As the chart demonstrates, in 2020 a health care data breach cost $7.13 million on average, surpassing the average cost of breaches in 17 other industries worldwide.

Given the risks and costs associated with cyberthreats, health care information security should be of utmost importance for organizational leadership. Ignoring security needs or failing to appropriately analyze and invest in protective measures will lead to heightened exposure, increased costs and disruption to patient care that could mean the difference between life and death.

To fortify their cybersecurity, health care providers and organizations should consider the following measures:

• General risk analysis: Measures data storage, access controls, security policies, governance, antivirus protection, incident response planning, liability insurance and more.
• Remote workforce assessment: Evaluates employee tools, solutions, controls, shared data processes, virtual private networks and regulatory requirements.
• Framework certification: Aligns to a framework certification, like HITRUST, that fits organizational needs and can help control risks.