Ransomware attack led disruptions have become a new challenge for Chief Operating Officers (COO) to manage according to the experience shared by a leader at the Wyoming Health System. The resulting downtime from ransomware attacks has reached an average of 9.3 days and, unfortunately, the cyber-attacks and breaches in healthcare show no sign of slowing down. They certainly raise questions about the complexity of today’s digital environment, sophistication of attacks, organizational readiness to manage this emerging risk, and effectiveness of current cybersecurity solutions.
Cyber-incidents in healthcare have increased at CAGR of 40% over the recent decade with 2019 noticing one of the largest jumps. Combined these incidents have impacted about 240 million individuals in the US, or up to 73% of the US population. This could certainly be concerning to many to know that their private information is really not that private anymore, and worse yet, can be exploited for illegal activities.
A further look at healthcare cyber incidents over the recent decade indicates that only 30% of the breaches are caused by hacking/IT incidents. In fact, theft emerged as the most prevalent means of breach. This insight raises questions around organizational dynamics and roles & responsibilities.
Should cybersecurity responsibility be primarily owned by the IT/IS teams?
How much effort is allocated to building a “Culture of Security” by the operating/line leadership?
What incentives or penalties do organizations have in place for operating leaders to focus on cybersecurity?
Is cybersecurity approached as an IT/IS technical problem or a cross-functional enterprise risk management challenge?
How versed are the IT/IS team members in understanding all aspects of business operations?
The need for a broader approach to risk management is not to undermine the importance of technical and IT aspects in cybersecurity. In 2019, 60% of breaches resulted from hacking/IT incidents. The deeper look, however, again points to many human-factors. For example, 51% of the breaches in 2019 involved e-mail and theft involving paper records. Further, 35% of incidents involved devices and applications. When it comes of devices, there is nearly always some level of human-factor at play. According to recent news, ‘malware-free’ or fileless attacks accounted for 51% of attacks last year, in which hackers turn to stolen credentials to breach corporate networks. When a large portion of the population’s credentials have been compromised through multiple cyber-incidents, malware-free attacks become easier to conduct. Some of these points beg questions on employee awareness around basic cyber hygiene.
How effective are the employee training programs on cybersecurity in organizations?
What strategies have organizations employed to increase employee engagement in cybersecurity?
Many prestigious organizations such as Walgreens, Henry Ford Health System, Humana, Mt. Sinai Health, and others have faced multiple cyber breaches over the past decade. In fact, Walgreens has been a victim a of cyber-breach every year since 2012. Similarly, Henry Ford Health System has been a victim of cyber-attacks nearly every year since 2011. Other organizations such as Humana, Walmart, and Delta Dental have been breached multiple times just in 2019. Clearly many of these organizations should have the scale, resources and efforts in place to manage cybersecurity. Why are they breached then? Many questions come to mind.
Is the digital environment so complex, or developed without security in mind, such that it is too difficult to manage?
Is the cost and liability of managing cyber-attacks so low compared to the cost of proactive cybersecurity risk management that organizations choose to let that slip?
Do the boards have visibility to such risks in these organizations?
Former Obama adviser Kiersten Todt recently explained why the solution is not spending more on cybersecurity to protect your business. It may very well be about taking a holistic approach to cybersecurity, strong support from the operating leadership team, building a “culture of security,” and engaging the broader organization in a programmatic approach. The result is more effective cybersecurity at a lower cost.
MediTechSafe has developed a proprietary solution to help healthcare providers manage their cybersecurity, medical devices and clinical networks related risks considering both IT and Operations Technology (OT) needs. The MediTechSafe platform helps cost-effectively address many of the challenges mentioned above starting from tracking risk to training personnel, mitigating risks, and responding efficiently when an incident takes place. If you have interest in learning more about MediTechSafe’s solution, you could reach us at info@meditechsafe.com.