Stronger Together: A Response To Rising Systemic Risk In Healthcare
Merriam-Webster defines systemic risk as "the risk that the failure of one financial institution (such as a bank) could cause other interconnected institutions to fail and harm the economy as a whole." While the financial sector has certainly seen its share of systemic shocks, the cyberattack on Change Healthcare in February 2024 and the recent CrowdStrike IT outage highlighted how systemic risk not only exists in healthcare but can have equal, if not far more severe, consequences. Unlike the financial system, even short-term systemic failure across the health sector means life-threatening delays in treatment, loss of access to medications and ambulances diverted from emergency rooms that have gone dark.
In a recent webinar, “From Change Healthcare to CrowdStrike: Managing Healthcare Systemic Risk,” leading healthcare CISOs and industry experts discussed how the health sector should address growing systemic risk and offered practical advice for strengthening resilience to high-impact cyberattacks and protecting patient care from prolonged downtime in mission-critical systems. In the wake of Change Healthcare, this discussion also underscored the growing importance of sector-driven programs like The Healthcare Cybersecurity Benchmarking Study, a health industry-led initiative that enables healthcare organizations to evaluate and improve their overall cybersecurity maturity, compare their cyber program to peers and help allocate (often scarce) cyber resources and investment. The Study is made available at no cost through the partnership and collaboration of the American Hospital Association, Censinet, KLAS Research, H-ISAC, Health Sector Coordinating Council and the Scottsdale Institute.
The Rise Of Systemic Risk In Healthcare
Over the last few decades, the health sector has evolved into a highly interconnected and interdependent ecosystem. While this has produced significant efficiency gains across the industry, it has also driven increasing exposure to sector-wide systemic risk. Several interrelated forces are exacerbating this risk, including:
Consolidation Of Technology And Services
Mergers and acquisitions in healthcare have concentrated essential services into fewer companies, creating single points of failure—or “choke points”—across the healthcare ecosystem. While choke points are not inherently negative, they represent critical nodes where a major disruption can cascade rapidly throughout the sector and have far-reaching impact. The concentration of mission-critical services into fewer and fewer entities concentrates the risk, so if just one critical node experiences a failure or cyberattack, the impact can quickly ripple through multiple organizations, the region or the entire industry.
Increasing Reliance On Third-Party Vendors
Healthcare delivery organizations (HDOs) depend heavily on third-party vendors for everything from health IT to medical devices to pharmaceuticals. Thousands of HDOs can use the same third party for a particular service to support operations and care delivery. As such, many bad actors have shifted their target away from individual hospitals to these third-party vendors, where the potential gains are more lucrative (e.g., more patient data, greater ransom payments, etc.). Unfortunately, the potential damage is also greater, where a breach or extended downtime at one vendor can impact a large number of HDOs simultaneously.
What’s more, in many cases, HDOs don’t know the full extent of risk exposure to their third parties; for example, in the case of Change Healthcare, the disruption in claims processing grabbed most of the headlines, but it was reported that over 100 hospital processes were also disrupted. In fact, an American Hospital Association (AHA) survey conducted March 9-12, 2024, during the Change Healthcare cyberattack, found 74% of hospitals reported a direct impact to patient care and 40% of patients reported delays in care and prescription fulfillment. Even worse, many HDOs had no idea they were exposed to Change until it was too late. Going forward, HDOs will need greater depth of visibility into the risks presented by their third-party vendors, and, more importantly, how those risks can impact critical business, operational and clinical functions.
Inadequate Resilience And Preparedness
As ransomware attacks proliferate, many healthcare organizations are simply underprepared to withstand prolonged outages or downtime in critical IT systems. In August 2023, The Joint Commission, with input from the American Hospital Association, sounded the alarm in an alert advising all healthcare organizations to prepare for up to four weeks of downtime in mission-critical services and systems. In effect, HDOs should create a “clinical continuity plan” that codifies downtime procedures for all network-connected systems involved in care delivery. Developed and owned by multidisciplinary teams, not just IT, clinical continuity plans should anticipate prolonged technology outages or third-party failures, and clearly articulate how safe care delivery can continue under these conditions.
Gaps In Basic Protections
While the increasing complexity of healthcare systems continues to create new opportunities for bad actors, the majority of cyberattacks exploit basic vulnerabilities, such as poor identity management, weak multifactor authentication (MFA) and outdated software. Implementing basic security practices and controls like secure MFA, phishing awareness training, regular patch management and routine third-party risk assessments can significantly reduce an organization’s exposure to cyber risks.
Stronger Together—Leveraging Community Collaboration
Facing razor-thin margins and budget constraints, it can be challenging for HDOs to know where to allocate scarce cybersecurity resources and prioritize investment to mitigate rising systemic risk. The Healthcare Cybersecurity Benchmarking Study provides healthcare leaders with a comprehensive understanding of their current cybersecurity preparedness and maturity by assessing their program’s controls, policies and procedures against best practice frameworks and industry standards like the NIST Cybersecurity Framework 2.0 (NIST CSF 2.0), the Healthcare and Public Health Sector Cybersecurity Performance Goals (HPH CPGs), recently announced by The Department of Health and Human Services, the Health Industry Cybersecurity Practices (HICP 2023), and the NIST AI Risk Management Framework (NIST AI RMF) assessment. In addition, organizations can measure and compare key operational and productivity metrics such as IT budgets, cyber program costs, organizational ownership and cyber expenses per patient.
Industry-led programs such as the Healthcare Cybersecurity Benchmarking Study enable the healthcare community to leverage one another to compare their performance, manage investment cases and decisions with their board, and implement targeted improvements that improve overall cybersecurity resilience, protect patient care and make the sector truly stronger together.
Click here for the Forbes Article
