• Huron Companies
    • Innosight
    • Studer Education
  • Submit RFP
  • Careers
  • Technology Partners
  • Contact Us
  • About Us
  • Favorites
Huron Logo Huron Logo
  • Expertise
    • Business Operations
    • Care Transformation
    • Consumer Transformation
    • Digital
    • Organizational Transformation
    • Research Enterprise
    • Strategy & Innovation
    • Upcoming Huron Events

      View Events
  • Industry
    • Education
    • Energy & Utilities
    • Financial Services
    • Healthcare
    • Industrials & Manufacturing
    • Life Sciences
    • Public Sector
    • See All
    • We collaborate with the best and brightest in technology.

      Learn More About Our Partners
  • Our Experts
    • View All Expert Bios
    • Find an expert specialized in your industry.

      Book a Speaker
  • Insights
    • Articles
    • Case Studies
    • Research
    • Get the latest insights and updates from our experts.

      View All Insights
  • Investor Relations
    • News
    • Events
    • Financial
    • Stock Info
    • Corporate Governance
    • See All
    • Learn more about Huron and our most recent financial results.

      Investor Presentation
  • Contact Us
  • Expertise
    Expertise
    Business OperationsCare TransformationConsumer TransformationDigitalOrganizational TransformationResearch EnterpriseStrategy & Innovation

    Upcoming Huron Events

    View Events
  • Industry
    Industry
    EducationEnergy & UtilitiesFinancial ServicesHealthcareIndustrials & ManufacturingLife SciencesPublic SectorSee All

    We collaborate with the best and brightest in technology.

    Learn More About Our Partners
  • Our Experts
    Our Experts
    View All Expert Bios

    Find an expert specialized in your industry.

    Book a Speaker
  • Insights
    Insights
    ArticlesCase StudiesResearch

    Get the latest insights and updates from our experts.

    View All Insights
  • Investor Relations
    Investor Relations
    NewsEventsFinancialStock InfoCorporate GovernanceSee All

    Learn more about Huron and our most recent financial results.

    Investor Presentation
  • Careers
    Careers
    Join Our Talent CommunitySearch Open PositionsBenefits
  • About Huron
    About Huron
    The Huron DifferenceOur People & ValuesMaking an ImpactOur ResultsInvestor RelationsLocations
  • Help & Support
    Help & Support
    Contact UsSubmit an RFPBook a Speaker
  • Privacy
    Privacy
    Privacy StatementTerms & ConditionsCookies PolicyFraudulent OffersLabor Condition Applications
  • Contact Us
  • Favorites
    Recent Favorites
    You have no saved content.

Healthcare Cybersecurity: Moving from Awareness to Action

Favorite Bookmark
Download Email Subscribe Print

In healthcare, cybersecurity threats tend to elicit a type of normalcy bias where leaders who have yet to experience an attack, or those who have weathered less significant attacks, underestimate the likelihood that a disastrous event will impact their organization. Moreover, in the past there was a level of risk organizations were willing to tolerate when it came to data breaches.

Recent Huron research reveals that attitudes may be changing. In a survey of healthcare providers, executives named data security as the top industry trend impacting their organization now and in the next three to five years.

Elevated Risk and Consequences

Cyberattacks and resulting data breaches hold devastating consequences for healthcare organizations, including massive financial payouts, disruption of business operations and the inability to adequately and safely care for patients. Equally as costly is the loss of consumer trust and damage to brand reputation as organizations struggle to compete in a new era of healthcare consumerism.

Recent reports found that 93% of healthcare organizations have faced a data breach in the last three years. The uptick in known data breaches may be due in part to more accurate reporting and heightened public awareness, but there is no doubt that the severity and sophistication of cyberattacks are at an all-time high with the average cost of recovery totaling $1.4 million per attack.

Thinking Differently About Security

Despite the threat level and acknowledgment from leaders that security is vital, as well as the existence of federally mandated security risk assessments, healthcare organizations remain highly susceptible to attacks.

The complexity of the healthcare environment makes defending against cyberattacks and data breaches difficult, but that doesn’t mean that security is impossible. As organizations move care outside the hospital, smaller facilities may have vulnerability points such as on-site servers that could easily be accessed or stolen. Below are steps organizations can take to better align resources and shift mindsets about information security in healthcare:

Right-size security. Budget constraints and competing lists of priorities make it hard for leaders to prioritize cybersecurity over adoption of new revenue-generating technology such as analytics platforms or robotics.

Critics are quick to compare healthcare’s cybersecurity performance with that of other major sectors such as banking and financial services, which consistently outspend healthcare on IT security. At the same time, organizations have to be careful not to equate spending with protection.

Leaders need to be aware of what best practices apply to organizations of their size and complexity and plan accordingly. A thorough risk assessment and strategically selected improvements can have a big impact on how well an organization avoids and responds to attacks.

Think broader about technology — and risks. New technology and third-party vendors are regularly added to the hundreds of applications already running on a health system’s network. Each creates vulnerabilities that malicious actors can exploit.

As healthcare organizations deploy more consumer-centric strategies, consumers will need assurances that the private information they share through wearables, mobile apps, virtual visits and patient portals is protected alongside their electronic health record.

Medical devices, which are often neglected information technology (IT) assets when evaluating risk strategy, present one of the largest-growing areas of risk for organizations as they can be used to gain access to higher-value areas of a network. Consumers need to know that their devices are safe and can’t be compromised to harm them.

Cloud-based systems allow organizations to scale their information security functions and offset security risks associated with local servers, but there are other considerations when migrating to the cloud, such as ensuring the organization can retrieve its data at any given time. Also, not all third-party cloud services vendors are equal.

Stratifying vendors according to risk — how much data is managed, the sensitivity of that data and how mission-critical the data is — helps to guide the type of business relationship and level of oversight required with each vendor.

Actively prepare for evolving threats. In addition to malware and phishing emails aimed at stealing valuable patient data, healthcare organizations now contend with increasingly sophisticated ransomware. In the past, attackers would paralyze a health system’s operations and care delivery by taking control of financial or patient data until a sum of money was paid. The latest ransomware perpetrators leverage stolen data by publishing small subsets of data publicly in order to accelerate payments from breached organizations fearful of additional exposure.

Information security and compliance officers should stay informed by following sources that monitor new and growing cyberthreats, such as the Office for Civil Rights (OCR) privacy and security group email list and the United States Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA), the agency responsible for protecting the nation’s infrastructure from cybersecurity threats.

Build the right culture — it matters.Technical security is not a substitute for culture. A positive security culture is one in which people at every level of the organization take security seriously. Employees should have a mechanism to report issues or mistakes without fear of retribution, and there must be trust between employees and leadership that concerns will be addressed once reported.

Invest in your employees and leaders. One of the most important steps organizations can take is to continue educating employees about the risks around them, such as phishing emails or other common areas of infiltration.

Federal regulations require that healthcare organizations designate a named individual for the role of chief information security officer (CISO). Too often organizations undervalue the importance of this role in building an effective security program and designate an individual without the proper training or experience. Healthcare organizations should invest in building out a full job description for their CISO and allocate the resources to fill the job with a fully qualified candidate.

KEY TAKEAWAYS

The healthcare industry is defending itself against unprecedented levels of cyberthreats. To reduce susceptibility to attacks, organizations should:

Think differently.

Don’t allow complacent attitudes and reactionary behavior to steer cybersecurity strategy; security programs should be proactive and always evolving just like threats.

Plan differently.

Take risk assessments to the next level in order to identify the right level of security investment needed for organizations of your size and complexity.

Act differently.

Resource security programs adequately with the tools, information, skilled leaders and culture that are needed to protect healthcare organizations against growing threats.

Favorite Bookmark
JS Inject Download Email Subscribe Print
Business Operations Digital Healthcare Academic Health System or Hospital Ambulatory or Pre-acute Cancer Center or System Children Health System or Hospital Community Health System or Hospital Critical Access Hospital Long-term Care or Post-acute National Health System Physician Practice or Medical Group Professional Association Public Health System or Hospital Regional Health System or Hospital Women Health System or Hospital

Related Work

  • Moving Healthcare Data Analytics Forward With Good Governance

    Read More

    To advance their use of data for decision making, organizations must first focus on foundational principles that make the broader adoption of data analytics possible.

  • Data Due Diligence in Strategic Acquisitions, Mergers and Partnerships

    Read More

    Healthcare organizations have to plan sooner for data integration when vetting assets in the due diligence phases of a merger, acquisition or partnership.

  • The Untapped Potential of Healthcare Supply Chain

    Read More

    While supply chain is recognized for its cost cutting potential, it also plays a critical role in advancing — or hindering — enterprise efforts to transform care.

View All

We use cookies on our website to provide you with a more personalized digital experience, enable website functionality and understand the performance of our site. You may review our Privacy Statement and our Cookies Policy. By using this site you agree to our use of cookies. I Accept

  • Expertise
    • Business Operations
    • Care Transformation
    • Consumer Transformation
    • Digital
    • Organizational Transformation
    • Research Enterprise
    • Strategy & Innovation
  • Industry
    • Education
    • Energy & Utilities
    • Financial Services
    • Healthcare
    • Industrials & Manufacturing
    • Life Sciences
    • Public Sector
  • About Huron
    • The Huron Difference
    • Our People & Values
    • Making an Impact
    • Our Results
    • Investor Relations
    • Locations
  • Help & Support
    • Contact Us
    • Submit an RFP
  • Careers
    • Search Open Positions
    • Join Our Talent Community
    • Our Commitment
  • Legal
    • Privacy Statement
    • Terms & Conditions
    • Studer Education: Subscription Product Terms of Use
    • Cookies
    • Fraudulent Offers
    • Labor Condition Applications
Huron Logo
  • LinkedIn Icon
  • Twitter Icon
  • Facebook Icon
  • Instagram
  • Youtube Icon

© 2022 Huron Consulting Group Inc. and affiliates. Huron is a global consultancy and not a CPA firm, and does not provide attest services, audits, or other engagements in accordance with standards established by the AICPA or auditing standards promulgated by the Public Company Accounting Oversight Board (“PCAOB”). Huron is not a law firm; it does not offer, and is not authorized to provide, legal advice or counseling in any jurisdiction.