Investing in Healthcare Cybersecurity in 2022
As 2021 comes to an end, Healthcare IT leaders begin to prepare and discuss their organization’s investment plans for the upcoming year. As an industry, the increasing number of healthcare data breaches and cyberattacks have (1) highlighted the need for better patient, data, and supply chain protection and (2) proven that investing in cybersecurity is no longer an option. Healthcare leaders recognize that attacks are inevitable, so it’s not a matter of if they occur; it’s a matter of when, how frequently, and to what degree. Every healthcare delivery organization will eventually experience a cyber attack if they haven’t already. The onus is on them to determine how they manage the risk.
According to HIPAA Journal, the healthcare industry is a prime target for cybercriminals and experienced the most data breaches. With the internet buzzing about healthcare data breaches, “cybersecurity has become a dinner table conversation,” remarked Elizabeth Butwin Mann, EY Americas Life Sciences and Health Cybersecurity Leader. The 550 healthcare data breaches reported to HHS (as of November 2021) are eye-opening for many CISOs and CEOs. Healthcare cyberattacks have impacted more than 40 million people in 2020. An increasing number of cybersecurity and healthcare professionals are speaking out and sharing their investment considerations, cybersecurity knowledge, and predictions for 2022.
According to research in a recent Healthcare IT News article, “43% say funding is keeping their organizations from executing on security challenges they have.” Studies have shown that most hospitals are still responding to the pandemic, are short-staffed with minimal IT or cybersecurity, do not have the funds allocated for cybersecurity, and so forth. Experts are urging healthcare providers to recast their priorities and recognize the criticality of implementing cybersecurity, risk intelligence, unified training for staff, and proper management and protection of patient data.
Currently, healthcare’s biggest concern is digital risk. The funding priority is risk intelligence, as stated in the key findings of Deloitte’s Third-party Risk Management (TPRM) Global Survey 2021. Nearly a third of hospitals and health systems are planning to implement biometrics (29%), digital forensics (28%), or penetration testing (28%) within the next 24 months, according to new HIMSS Media Research. Healthcare as a whole is anticipating that tumultuous data breaches and ransomware attacks will continue into 2022, requiring preparation through risk analysis, proactive remediation, and operational resiliency.
Healthcare IT News, part of HIMSS Media, recently explored investment opportunities in their feature series, Health IT Investment: The Next Five Years. This series interviewed five CIOS and one COO to understand their plans for the next five years and their targeted investments in the following categories: AI and machine learning; interoperability; telehealth, connected health, and remote patient monitoring; cybersecurity; electronic health records and population health; and emerging technology and other systems. These leading healthcare IT interviewees all agree that investing in healthcare cybersecurity is crucial in a successful health system, although costly. Here is what they had to say:
"We have spent a tremendous amount of money in the past two years hardening our defenses and filling gaps, so we are compliant with best practices."
-Mike Mistretta, Vice President, and CIO, Virginia Hospital Center
"Cybersecurity is an issue that needs ongoing attention.”
-Dr. Umberto Tachinardi, CIO, Regenstrief Institute
"There are so many different types of technology that are important for the cybersecurity platform."
-Cara Babachicos, Senior Vice President and CIO, South Shore Health
"The bad guys keep getting smarter every day," and “we need to continue to advance, but we believe basically next year will kind of be more of a sustained level…If the situation changes and becomes more aggressive, obviously, this is an area that we'll continue to invest in more. But we believe we'll get to a stable level by the end of next year."
-B.J. Moore, CIO, Providence
“These investments are readily agreed upon by members of senior leadership, given the consistent reporting of breaches, hacks and ransomware throughout healthcare and other industries,” and “the potential impact upon operations, patient privacy as well as the reputational harm that may arise from such malicious events, requires constant attention as well as never-ending strategy and investment.”
-Michael Restuccia, Senior Vice President and CIO, Penn Medicine
"Some of the investments will go toward full network visibility, AI-based behavior analysis and connected medical devices, both in our facilities and in patients' homes,” Hocks noted. "Our team has intentionally and thoughtfully engaged leadership across the organization on cybersecurity awareness and education, which has pivoted the conversation from a 'sell' to a 'risk-based decision' and included deep involvement and support from our clinical operations.”
-Matt Hocks, COO, Stanford Health
For more 2022 cybersecurity predictions from additional industry leaders, check out Health IT Security’s recent article.
The battle of cybersecurity in healthcare is far from over. The health sector has experienced increasing cyberattacks, higher adoption of advanced cybersecurity solutions, rising security, and privacy concerns, disrupted patient care, outrageous fines, and in some cases, tarnished reputations. According to research from Forbes, “the number of cyberattacks continues to increase (up 31% in 2021 over 2020), and companies are worrying more about indirect attacks – successful breaches to the organization through the supply chain– which have increased from 44% to 61%.” Forbes also discloses that 82% of its survey respondents reported that they have increased security funding and that investing in cybersecurity is, in fact, essential.
Over the last few weeks, many of us have been heads down frantically responding to the ubiquitous Log4J vulnerability. The sophistication, frequency, and impact of such zero-day cyber vulnerability are increasing and will shift healthcare IT investments in 2022, making automated, dynamic risk management and incident response programs the next priorities.
Which cybersecurity investments are your HDO prioritizing in 2022? Send me your thoughts, ideas, and comments.
Ed Gaudet
CEO and Founder, Censinet