By Scott Anderson, CTO and GM of Managed Services, Cantata Health Solutions
LinkedIn: Scott Anderson
LinkedIn: Cantata Health Solutions
Many behavioral health agencies lack adequate controls to address and recover from a cybersecurity incident. What these agencies need are capabilities such as adequate backup and recovery, managed detection and response (MDR), security information and event management (SIEM), data loss prevention and other key security elements. Without these tools, agency leaders cannot identify a security incident and remedy or recover their IT environment.
In a 2024 report, the Ponemon Institute, an IT security research firm, found 92 percent of healthcare organizations surveyed had at least one cyberattack in the past 12 months. According to Linda Stevenson, chief information officer for Fisher-Titus Medical Center in Ohio, when health care budgets tighten, funding for cybersecurity often goes by the wayside. While there are risks for all organizations, behavioral health agencies–which often have few IT professionals with cybersecurity experience–face extra challenges.
To prepare for a cyberattack, behavioral health agency leaders should consider the following actions.
- Understand the opportunity costs of inaction
- Identify all security risks and create a plan for mitigation
- Put in place cyber liability insurance
- Think beyond traditional antivirus software, which is generally ineffective against most security threats
- Act immediately
Paying the price of a cyberattack
Funding a cybersecurity initiative often hinges on how well people understand the consequences of doing nothing. If hit by a cyberattack, agency leaders should consider lost staff time, paying third-party experts to shore up security including hardware or software, and finding legal help. The cost can range from tens of thousands of dollars for small agencies to hundreds of thousands or millions of dollars for large organizations. The bills can rise so high that many organizations are forced to close.
Spot the risks, address the gaps
To mitigate risk, put in place a comprehensive plan for security, disaster recovery, and business continuity. Test the elements and seek help to address gaps if there is no in-house cybersecurity expertise. Even when an agency works to identify risks and develops a plan, leaders must act.
Case in point: I worked with an agency that undertook an assessment of security risks and evaluated the findings but shelved the decision because of the cost and effort to remediate the vulnerabilities. Three months later the agency was hit by a cyberattack due to one of the gaps noted in the assessment. The organization spent 25 times the cost of the initial recommended fix and could not provide services to patients for over two weeks.
All behavioral health agency CEOs and board members should ask their team for a security assessment. Whether an experienced internal resource or a third-party organization assesses the exposures, they should scan the dark web, identify internal and cloud-based risks, and pinpoint gaps in policies and procedures. That work leads to recommendations for mitigating the risks and monitoring.
Get insured
Cyber liability insurance is a safeguard against the financial fallout of a security breach. Beyond the obvious steps of getting multiple quotes and comparing policies, an agency should ask a carrier for anonymized case studies or benchmark claims in behavioral health to determine what typically gets paid.
A breach response retainer, which includes forensic, legal and PR services, is also a good thing to negotiate for. There are specialty cyber brokers and IT partners that can help an agency find an insurance carrier, as well as online guides to learn about negotiating for cyber liability insurance.
Beyond the basics
Agencies also need to go beyond training employees about protecting passwords and changing them every 90 days. Employers must spend time teaching employees about phishing attacks, and the techniques hackers use to breach a system. When employees know how to inspect a sender’s email address (e.g., hover over the display name to reveal the email address), hackers will have a harder time spoofing people with an email that appears to be from the agency’s CEO or banker. An organization should also institute manual checks and balances (e.g., verbal confirmation) when emails involve financial transactions, including when they appear to be from the agency’s leaders.
Often, organizations leave themselves open to a cyberattack simply because they are not routinely patching their systems and applications or failing to prevent access to ports no longer needed. Especially in behavioral health, where technology is not always a priority, there are organizations with servers over 10 years old. This creates additional risk because hackers know the vulnerabilities to exploit in old operating systems.
If the agency works with a managed services firm for IT support, leadership should ask for help putting together, or rehearsing, a cyberattack communications plan. Along with the communications strategy, a managed services provider can be a resource to help an agency carry out disaster recovery exercises.
Steps after a cyberattack
Agency leadership should contact their insurance company at the outset of a cyberattack. In many cases, the insurer can provide legal guidance as well as a security firm to launch forensics and remediation. The security firm will generally lead the response (e.g., cutting the network off to a particular office, or isolating a set of computers from an organizational perspective).
That said, the nature of the attack dictates the response. If, for example, the attack is a ransomware encryption, the agency may be told to shut down its system to prevent the quick degradation of its environment from a spreading virus. Like the technology response, an agency’s communication to clients, business partners, and others depends on the nature of the attack (e.g., compromised data, whether stolen or infected by a virus).
A matter of when, not if
Ignoring the risk of cyberattacks will not make them go away. The Ponemon Institute’s 2024 report also notes that “55 percent of respondents say their organizations’ lack of in-house expertise is a primary deterrent to achieving a strong cybersecurity posture.” All technological environments are penetrable. To protect a system, an agency has to put in place enough barriers to make a hacker feel it is not worth the time to keep breaking through walls.
Many thousands of times per day, attackers around the world scan the computer environments of companies whether small or large. Threat actors targeting a behavioral health agency do it mainly because they are opportunists. They look for organizations with low security and lots of entry points that they can extort for money. Because behavioral health agencies often overlook cybersecurity, they leave themselves exposed. Protecting your organization starts with knowing your risks, closing the gaps, and strengthening your system before someone else tests it for you.