The Quiet Corporate Health Cybersecurity Struggle Playing Out in Plain Sight

The Quiet Corporate Health Cybersecurity Struggle Playing Out in Plain Sight

Marisa Polowitz

Associate Editor

Loyola University Chicago School of Law, JD 2023

Cyberattacks on the healthcare industry have reached a fever pitch. In 2020 alone, there was a drastic increase in healthcare organization cybersecurity breaches. In 2021, the average cost of a healthcare data breach increased by over $2 million to $9.23 million. Healthcare providers continue to be the most targeted industry for cybersecurity breaches, with over ninety-three percent of healthcare organizations experiencing a data breach over the past three years. 306 breaches of unsecured protected health information (“PHI”) impacting 500 or more individuals were reported to the U.S. Department of Health and Human Services (“HHS”) in 2020. Yet healthcare organizations continue to be ill-equipped to handle this growing problem.

What factors contribute to the cybersecurity risks in the healthcare industry?

Health care technologies are rapidly evolving, and healthcare organizations race to keep pace. To stay competitive, healthcare organizations continually adopt new technologies, increasing the organizational vulnerabilities to cyberattack. The opportunity potential of new technologies consistently outweighs the enforcement of requisite security measures.

Business Associates (“BAs”), companies that partner and share data with healthcare companies, are commonly utilized to distribute health information, digitize data, and supply medical devices. BAs frequently have weaker cybersecurity measures than their clients and are targeted for cybercrime just as often.

In an effort to minimize impact on direct care providers, organizational leaders often decline to enforce enhanced security measures. Implementation of meaningful (and somewhat simple) security tools such as multi-factor authentication (“MFA”) and single sign on solutions (“SSO”) require training, which can be considered disruptive to the provider’s primary focus – caring for patients. The conflict between the demand for training of healthcare providers to stay compliant and informed plus the need for security training to stay apprised of a rapidly changing threat landscape is an ongoing issue.

Why is healthcare the cybersecurity problem child?

Healthcare organizations are a treasure trove of data for cybercriminals. Their networks house a wealth of sensitive information – financial data, insurance information, and patient information. PHI is more valuable than financial data. While credit card and password data is only good until it is changed, PHI contains information such as social security numbers, that have a much longer (and more valuable) shelf life. These organizations have an ever-increasing number of attack surfaces, including Electronic Health Record (“EHR”) systems and relatively easily-hacked, and widely-used, medical devices. The COVID-19 pandemic pushed this even further, with rapid adoption of telehealth and many workforces transitioning to remote work. These systems are interconnected, making entry into one device a gateway to more.

An additional obstacle is the nature of provider employment. Hospital staff turnover is high and often providers are employed at multiple organizations, resulting in access to many networks and EHR systems, increasing the potential attack surfaces and vulnerabilities.

While many elements contribute to the heightened risks faced by healthcare organizations, the root may be traced to how industry leaders allocate funding within information technology (“IT”). A recent study showed that the healthcare industry spends an average of only five percent of its IT budget on security. By comparison, the financial services industry spent an average of 10.9 percent of IT budgets on cybersecurity in 2020. Despite current trends pointing to a need for increased funding, most cybersecurity leaders in the industry believe that the money will not be forthcoming.

The lack of cybersecurity funding has a domino effect. Limited allocation of funds causes staffing shortages, inadequate proactive measures, and delays in detection of cyberattacks which make it harder to mitigate the impacts. Without substantial preventative measures, post-breach mitigation is costly. In 2021, the healthcare industry had the highest average cost of a data breach for the eleventh year in a row. The most effective way to avoid these expenses is to prevent a breach from occurring in the first place. Regardless, the general focus of industry leaders continues to lean towards the remedial rather than the preventative approach.

Financial costs aren’t the only fallout from cybersecurity attacks. A recent survey done by Ponemon Institute revealed that twenty-two percent of healthcare organizations saw an increase in patient mortality following an attack. System downtimes caused by cybercrime can create delays in testing and medical procedures, which can be deadly.

How can it be fixed?

Healthcare is one of the most heavily regulated industries in the U.S. The Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”) govern healthcare data privacy and security. While still extremely relevant, the landscape has shifted drastically since the implementation of these acts in 2003 and 2009, respectively.

Legislation and regulations need to reflect the times — cybersecurity and data privacy can’t be ignored or an afterthought. There has been a flurry of state-level data privacy and cybersecurity laws moving through state governments, and an increasing trend for similar proposals at the federal level. Organizations and data subject to HIPAA are often exempt from these new and proposed regulations – owing in large part to the belief that HIPAA is sufficient coverage for PHI.

Cohesive, comprehensive, and simplified regulations in healthcare security could help organizations proactively defend against cyberattack, and limit the fallout when an attack succeeds.

Cybersecurity regulation should, at least in part, incentivize organizations to comply on the front end — a punitive, reactionary model is not sufficient. Placing a value on preventative approaches could motivate organization leadership to allocate more funding for proactive security system development, increased infrastructure, more robust hiring, and better training. Signaling the importance of meaningful preventative security programs through government, regulatory agencies, and policymakers themselves by creating enhanced funding and streamlined policy will in turn create a shift in mentality among organization leaders.