Cyber risks are getting more complicated and healthcare is not keeping up. Healthcare will continue to be a target for cyber theft and attacks in 2023. The experts are continuing to tell us it is not getting better. Here is what the experts have to say. And join us for the next few weeks as we look at what we might see in 2023.
David Finn, Vice President, College of Healthcare Information Management Executives (CHIME)
In about 1985, I became a systems auditor – – and my first real foray into Risk and Compliance for Information Technology. Every year since then and that’s 37 years, just saying, I’ve been waiting for someone to ask me about security for the next year. Every year I hope to say, that it is getting better or we’re really making progress and things are finally improving. I will not be able to say that about 2023.
- First, groups like the 405(d) Task Group, the Health Sector Coordinating Council and the Health-ISAC are really getting some legs under them. They are producing great guidance, useful tools, moving much faster and expanding their reach. That is a good start.
- While security is a strategic function of healthcare today, we still must look at the broader economic environment and that is uncertain. Those economic impacts have always impacted IT and security disproportionately in the sector. You cannot care for patients with fewer clinicians, but you can probably keep the wheels on with an older security product or a few less security staff. That is not true but that is how Boards and CEOs and CFOs are forced to view the problem. Expect to see less security spend in healthcare if the economy doesn’t improve – – at the time when they can least afford to cut security.
- A subset of the economic situation is continuing mergers and acquisitions in the sector. From an IT and security perspective these rarely go well and even when they do, it only happens over extended periods of time. Two years or more to consolidate systems, leaving both sides more vulnerable.
- Attacks on healthcare are up, particularly ransomware. The attack vectors are growing with interoperability and supply chain issues. Medical devices are finally starting to get the attention that they need in providers, but the install base of legacy devices is huge and won’t be easy or cheap to address.
- What we are seeing is an explosion in mobility, the Internet of Medical Things and wellness/fitness apps that you may connect to your EMR or even across providers. These create new virtual experiences, but the harm is less virtual – – the harm can be physical now, we’re seeing hospitals shut down, surgeries stopped, patients being transferred.
- One thing that must happen is the role of the CISO in healthcare is going to have to evolve much more quickly into a true business partner/executive not your “friendly neighborhood cyberman” kind of role. It took CIOs decades to manage that, a CISO won’t have that much time. The CISOs must compel understanding of what is at stake, from the perspective of the business.
- Conversely, Board and other C-Suite leaders are going to have to get up to speed on cyber risk. Sitting around the table saying that the CIO and CISO will take care of that no longer works. It can no longer be a dark secret to business leaders, these are their business risks. They must understand the risks, the implications of their decisions on the business (quality of care, clinical operations, life and death).
- The issues around Cybersecurity insurance are coming into focus and being discussed but that will not stop the short term bleeding around knowing who can get cyber coverage at what cost and maybe more importantly, what they will have to spend to even qualify to buy the “more expensive, less coverage” policies.
There is significant momentum in Washington right now to assist healthcare organizations across the U.S. with increasing their cybersecurity posture and ensuring safe patient care. The federal government will make strides in 2023 in developing and making available grant and subsidy programs for healthcare organizations for use in bolstering their cybersecurity programs. Numerous programs are already being considered and we expect increased clarity in 2023 towards a solution that brings meaningful support where it is needed most.
Given the current macro-economic backdrop, healthcare organizations will seek vendor consolidation in cybersecurity to simplify internal processes and combat the human capital challenges they face recruiting cybersecurity talent. As the number of technologies needed to secure the four walls of a health system increase, organizations will look for alternative ways to manage the day-to-day components of their cybersecurity programs. Additionally, costs for these burgeoning systems will come under increased scrutiny and some organizations will review their current cybersecurity operations and technology stack to uncover cost savings either through consolidation or outsourcing.
Roe v. Wade – IVF in 2023
As state-by-state laws are formed by the outcome of the Roe v. Wade reversal, clinics around the US will have an unexpected year in terms of patient demand. As states pass or ban reproductive medical procedures, patients looking for IVF treatments may have to go out of state, directly impacting the ability for local clinics to keep the lights on.
Prediction: Cyberattacks on the healthcare industry will have direct, fatal outcomes.
In the case of most cyberattacks, profit is the motive and rarely the aim is to kill. Killing is an unfortunate side-effect of the problem – such as high stakes situations where hackers take control for ransom thinking most hospitals will comply to save lives. For instance, a major US hospital system – CommonSpirit Health – recently suffered a ransomware cyberattack—and a 3-year-old was given a fatally large dose of pain medication as a result.
However, a lack of defined response, or coordinated and up-to-date protocols, leads to mistakes, including ransom not paid in time or no disaster recovery or backup in place. Whatever the reason, small mistakes have deadly consequences in healthcare – even if organizations are willing to pay the ransom. They also have to think about violations of data privacy regulations and repercussions.
Healthcare organizations will continue strengthening their cybersecurity supply chain risk management programs in the coming year. Business associates who wish to sell into this industry must respond by boosting their security programs. Their efforts should include addressing vulnerabilities in their public-facing IT environment that their customers now quickly discover during the acquisition process using services designed for the purpose. Security must be baked into the development lifecycle when their offering consists of a software or hardware solution they developed. Suppose they leverage third-party components as part of their solution; in that case, they need to consider the risk of these components. They should be open to identifying the elements for their customers, monitoring them on an ongoing basis for threats and vulnerabilities, notifying their customers if they become aware of a specific threat or vulnerability, and developing and providing support for remediation. Depending on customer expectations, they may need to plan for investing in third-party assessments and certifications like SOC 2 or HITRUST. Business associates who take these steps and are proactive in partnering with their customers on cybersecurity will achieve a strategic advantage over their less-engaged peers. Those who don’t will be left playing catch up or forced out of the market entirely.
Prediction: Cyberattacks on the healthcare industry will continue to increase.
The healthcare industry is most vulnerable to cyberattacks, which makes it a lucrative target for cybercriminals; attacks on the healthcare industry have grown significantly in 2022, and attacks will even go further in 2023. According to IBM, healthcare breaches cost the most at $9.23 million per incident. And, most importantly, cyberattacks not only affect human lives directly—they also impact patients’ mental well-being.
Additionally, according to a recent SANS and OPSWAT report, “State of ICS/OT Cybersecurity in 2022 and Beyond,” 26% of respondents reported that the healthcare and public health sector is likely to experience a successful ICS compromise with impacts on safe and reliable operations. Lastly, with healthcare staff generally unaware of the extent of cyber risks and best practices, educating them is of vital importance to protect the healthcare industry from cyberattacks.