By Freddie Sanchez, Director of Technical Services, Altera Digital Health
LinkedIn: Freddie Sanchez
LinkedIn: Altera Digital Health
The recent Canvas data breach sent shockwaves through education, but it’s a situation all too familiar for those of us in healthcare. For years, our industry has consistently been a top target for bad actors, and that trend is unlikely to change anytime soon.
While hackers can gain $3 for credit card information and $15 for a Social Security number, medical records can sell for as much as $60.
It’s time for a mindset shift in healthcare. It’s no longer a matter of “if” or “when” your organization will become a target, but “how bad” the damage inflicted could be.
With that, healthcare leaders must understand the factors at play and steps to take to keep their systems and organizations secure.
Accelerating risks with AI
Artificial intelligence (AI) is being touted across the industry as an efficiency and productivity multiplier. Unfortunately, AI has the same effects for those with nefarious purposes, too.
Bad actors are now using AI to crack passwords in record time. What used to take several hours can now be done in just a few, if not in minutes or even seconds, depending on the characters’ complexity. And as agentic AI expands, the barrier for entry is lowering for novice hackers who have the potential to harm organizations with just a few prompts.
Beyond making bad actors more effective, AI leveraged within healthcare organizations invariably carries some risk as well. AI or otherwise, every system added to a healthcare organization’s network expands the attack surface.
Shrinking cybersecurity teams
Much like clinicians, cybersecurity professionals are in greater demand than they are in supply across industries. Studies suggest that while there are more than one million cybersecurity professionals in the U.S., more than 500,000 jobs in this field may remain unfilled. This leaves hospitals and practices in a difficult position because they are often tapping into the same talent pool as organizations in other sectors that don’t operate on as thin of margins.
Too frequently, small- and mid-sized organizations treat IT as an afterthought. And even for organizations with sizable IT teams, security often lacks appropriate budget, staffing, specialized expertise and resources because it does not drive revenue. But cybersecurity is a lot like insurance: its full value isn’t always appreciated until an incident happens.
For small-yet-mighty cybersecurity teams, it can be difficult to determine what to prioritize when being pulled in different directions. And yet, many organizations overlook foundational needs.
If you’re looking to renew your organization’s commitment to good cyber hygiene, don’t let these common pitfalls go unaddressed:
1. Lack of governance and processes
Organizations without sufficient staff often lack the capacity to build governance frameworks, runbooks and procedures. Without that governance, vulnerabilities inevitably fall through the cracks, and organizations also risk falling out of compliance with regulatory requirements.
For example, a HIMSS survey of healthcare cybersecurity professionals revealed that more than half of respondents said their organization either had no approval process in place for AI use or they were not aware of any such policies.
2. Identity management issues
Without a defined governance structure or consistent accountability, additional security lapses inevitably propagate across organizations. One of the biggest risk areas is identity management. Across industries, 69% of organizations report an identity-related breach in the past three years, and 45% say these kinds of breaches are costlier than the average breach.
When IT or security teams are stretched thin, it’s all too tempting, for example, to copy a user profile when onboarding a new employee and erroneously give that employee excess access. From least privilege access to robust password criteria, overlooking basic security controls can have complex consequences.
3. End-of-life equipment
While innovation is moving at a rapid speed today, healthcare organizations cannot always keep up with that pace. A prime example of this gap is continued use of end-of-life equipment. Whether budget constraints or staffing shortages are to blame, many organizations continue running hardware that manufacturers no longer support through firmware updates or security patches.
These unpatched vulnerabilities are exploitable entry points for bad actors. If compromised, attackers can encrypt data or exfiltrate it to effectively hold the organization hostage. Holding onto old equipment or devices that function properly may seem like a cost-cutting measure, but without ongoing security improvements, they can become a disaster waiting to happen.
Committing to core principles
Just as eating one salad won’t improve your health overnight, no single preventative or protective measure can completely safeguard your organization.
Strong cybersecurity is not an endpoint. It is the summation of decisions, big and small, to invest time and resources into discipline, adaptability and ultimately, patient safety. While the threat landscape will continue to evolve, the most resilient organizations will be those that treat data privacy and security as existential organizational priorities. Because they are.