Cybersecurity Is Increasingly Important for Business—and for Health Care

Health IT

Protecting the confidentiality and integrity of business networks, data, and devices from cybersecurity intrusion has become a requirement in today’s business environment. It is especially important to be vigilant in protecting the end users who typically are the easiest point of entry.

Cybersecurity threats have increased for all types of businesses, but the threats to health care facilities and providers have become a matter of great concern. This is, in part, because of the increased reliance on electronic communications that occurred during the COVID pandemic, but also because cyberattacks in health care affect the business of health care and also have direct impact on patient care.

Health care facilities contain so much high-value data in their files—patient health information, financial information, and Social Security numbers—that it is hardly surprising that they have become increasingly attractive to cyber intruders.  In fact, patient health information has greater value on the dark web than Social Security numbers. Unfortunately for the facilities, remedying breaches in health care is more expensive than it is for other industries—estimated to be three times as great in health care.

Despite warnings about their increased frequency, cybersecurity attacks have been unrelenting in the health care space. From January to June 2020, the Office of Civil Rights in the US Department of Health and Human Services reported 373 data breaches. The cost of a data breach increased almost 10% from a year earlier, with an average cost of $10.1 million. Sixty percent of organizations said they had to increase prices because of a breach.

According to a study by the Ponemon Institute, more than 20% of health security officials said their organizations had experienced one or more of the most common types of attacks:

  • A cloud compromise
  • A ransomware attack
  • A supply chain disruption
  • A business e-mail compromise

Another common type of attack is a distributed denial of service (DDoS). In this type of attack, the website or network is overwhelmed with internet traffic that, in turn, cripples its ability to function.

Unlike cyberattacks in other industries, the intrusions into health care organizations frequently result in delayed procedures and tests that have the potential to negatively affect patient health.  Many organizations have said that cyberattacks have led to an increase in patient mortality rates, which lead to concern among all health-related organizations and certainly among patient advocacy groups. Proofpoint reports that delayed procedures resulted in poorer patient outcomes for 57% of health care providers and increased complications for half of them.

The average reported ransomware cost was $910,000 in 2019 but some demands have gone as high as $10 million. Unfortunately for the organization, once the operating system is infected with malware, the health records become encrypted, making it impossible to access them and to know whether patient data haven’t been duplicated even after the ransom has been paid. The increasing amounts that have been reported for ransomware, along with the threats to institutional reputations imposed by cyber intrusions, should be sufficient motivation for organizations to take steps to prevent these intrusions.

Because of the pressure on hospitals imposed by the COVID pandemic, when many lucrative medical procedures were shut down or delayed, hospitals have found it especially difficult to increase their IT security budgets commensurate with the increase in the digitization of patient information. According to a Deloitte Report, companies spend 6%-14% of the annual IT budget on cybersecurity, spending on average, 10% security. At least as of 2019, hospitals were spending only 5% of their IT budget on cybersecurity. Adding more funding may not resolve the problem, but limiting the funding is likely to exacerbate the challenges presented by cyber intrusions.

The focus is now on CISA (the Cybersecurity and Infrastructure Agency), part of the US Department of Homeland Security, to find and implement sensible strategies that remedy these threats.  CISA has been directed to develop a strategic plan for 2023 to 2025 that covers information-sharing for the “whole of the nation.” CISA understands that it needs to engage in a balancing act—presenting itself as a partner to the private sector and promoting industry collaboration while still advising regulators about cyber issues. CISA will need to determine which incidents should trigger reporting requirements, especially if incidents appear to be systematic.

CISA’s past history has not prepared it for these new responsibilities. Previously, it had only one regulatory role overseeing high-risk chemical facilities, and instructing them to take steps to detect, determine, and respond to attacks.

CISA advises organizations against paying ransoms, but hospitals and other providers have frequently felt that they had little choice but to capitulate to ransom demands. A report by the cybersecurity firm Sophos in spring 2022 indicated that 61% of health care organizations experiencing a ransomware attack during the previous year had felt it necessary to pay the ransom. Knowing that most organizations will pay substantial sums of money has emboldened cyber intruders and made this a vicious cycle that is hard to break. The firms understand that what they are doing increases the likelihood of more cyber intrusions but they do not believe that they have an effective alternative.

The use of cyber insurance only complicates the problem with conflicting incentives. If an organization has sufficient insurance coverage to reduce the pain associated with paying a ransom demand, its willingness to pay increases the attractiveness of cyber intrusion crimes. However, many institutions that have cyber insurance still face some financial exposure, and more than 20% have no coverage at all. Also, not surprisingly, cyber insurance is becoming more expensive and harder to find…exactly what would be expected, given these dynamics.

Cyber intrusions show no signs of slowing down. The highest number of ransomware attacks were reported in the third quarter of 2022 and are the biggest concern of health care executives. While there are some steps that health care executives can take to make cybersecurity measures less cumbersome, including giving representation to clinical teams that can help provide appropriate guidance to security decisions, this is not a threat that will be resolved easily.

Wilensky G. Cybersecurity Is Increasingly Important for Business—and for Health Care. Milbank Quarterly Opinion.  January 26, 2023.

About the Author

Gail R. Wilensky, PhD, is an economist and senior fellow at Project HOPE, an international health foundation. She directed the Medicare and Medicaid programs and served in the White House as a senior adviser on health and welfare issues to President Georege HW Bush. She was also the first chair of the Medicare Payment Advisory Commission. Her expertise is on strategies to reform health care, with particular emphasis on Medicare, comparative effectiveness research, and military health care. Wilensky currently serves as a trustee of the Combined Benefits Fund of the United Mine Workers of America and the National Opinion Research Center, is on the Board of Regents of the Uniformed Services University of the Health Sciences (USUHS) and the Board of Directors of the Geisinger Health System Foundation, United Health Group, Quest Diagnostics and Brainscope. She is an elected member of the Institute of Medicine, served two terms on its governing council and chaired the Healthcare Services Board. She is a former chair of the board of directors of Academy Health, a former trustee of the American Heart Association and a current or former director of numerous other non-profit organizations. She received a bachelor’s degree in psychology and a PhD in economics at the University of Michigan and has received several honorary degrees.

See Full Bio