By David Finn, Vice President, College of Healthcare Information Management Executives (CHIME)
LinkedIn: David (Samuel) Finn
X: @DavidSFinn
It is very difficult to talk about 2024 without starting from where we are ending 2023. We only need to go back to Thanksgiving to paint the picture of healthcare cybersecurity in 2023. Over Thanksgiving weekend, a single ransomware attack left 30 hospitals across 6 states without network services. This resulted in diversions and re-scheduling of non-emergency procedures – – not a lot to be Thankful for, for anyone. This attack was the latest in a series of attacks on healthcare organizations – – in a year of a record number of ransomware attacks in the sector.
Along with security comes privacy (hopefully). One study found that the number of patients affected by healthcare data breaches jumped from 37 million in 2022 to 87 million in 2023 (yes, fewer breaches in 2023 but a lot more records). And the year is not over as I write this. Happy 2024! At least for class action privacy attorneys.
In 2023, it is impossible to call out cybersecurity without talking about the (dreaded) supply chain – – or more broadly – – third party risk (although the risks/incidents are now going down to the 4th and 5th party). According to a report by Kroll, there has been a notable shift toward increased supply chain risk. This has been driven by multiple factors but certainly by the CLOP ransomware gang’s exploitation of the MOVEit transfer vulnerability and everyone’s old favorite: email compromise attacks. This is true across all sectors, although Healthcare may be the most hyper connected sector – – and the least prepared, as a sector, to deal with these attacks.
For over 20 years, I’ve been saying “security is a strategic function of healthcare”. We are now seeing that provider organizations, payers and even patients are beginning to see that care delivery and IT delivery are inextricably linked. You cannot talk about patient care without addressing technology and you cannot talk about technology in healthcare (from anyone’s perspective) without talking about security and privacy. That is the good news for 2024! It isn’t just the medical devices; it may be your patient’s phone. Or your home where Best Buy has turned your bedroom into a hospital room.
We will see, next year, multiple books addressing cybersecurity in the space, written by practitioners, and aimed not just at responsible executives in the space but targeted directly to the Boards of Directors in Healthcare. There is also a similar book scheduled for release but aimed specifically at investors in Health Information Technology. Until we build security in, up front, we will never be able to achieve the level of security that the sector should be operating at.
We are expecting a plan from the Health Sector Coordinating Council Cybersecurity Working Group early in 2024, currently titled: Healthcare Industry Cybersecurity Strategic Plan. This will be a first – – a very important first.
I don’t sound as bleak as I usually do, we do seem to be at an inflection point. NY state is proposing Cyber regs for healthcare; NY is fining organizations for not having documented cyber policies. The FDA is growing teeth and device makers are waking up. The massive number of attacks and breached records is getting attention (regulation and lawsuits) – – not the way you want to get attention but attention. And the world seems to be realizing that healthcare cannot grow, there cannot be Digital Health until IT delivery and healthcare delivery are connected – – in design, in development, in implementation and in delivery. That is the best news of all.
“Oh”, you’re thinking, “he can’t be too smart. He didn’t even mention AI.” Not ready for prime time and a lot to learn and be discovered – – including who and how it will be regulated (watch Europe) – – before we roll it out in healthcare or in security. Stay tuned.