Nearly every month in 2020, more than 1 million people were affected by data breaches at healthcare organizations, according to congressional findings. These stats represent a 55% rise in cyberattacks and a 16% increase in the average cost to recover a patient record. In addition, the Department of Health and Human Services (HHS) Office for Civil Rights reports that health information breaches at HIPAA-covered entities have affected more than 33 million people. Such breaches can result in exposure of sensitive patient information, increased healthcare delivery costs, and risk to patient health and safety.
In response, the Healthcare Cybersecurity Act of 2022 was introduced in the U.S. Senate on March 23. The proposed bill aims to enhance the cybersecurity of the healthcare and public health sectors with new healthcare cybersecurity regulations. If passed and signed into law, the Cybersecurity and Infrastructure Security Agency (CISA) and HHS will collaborate to take specific actions including evaluating the cyber challenges of healthcare organizations, analyzing how cyber risks impact healthcare assets, and assessing the workforce shortage, among other items.
Evaluating the challenges
Healthcare organizations face cybersecurity challenges on a daily basis because they collect, process, store, and send large amounts of electronic medical records that cybercriminals can hold for ransom or sell on the dark web. Under the proposed bill, CISA and HHS will evaluate what those challenges are. They will investigate how healthcare organizations secure their systems, devices, and data, how they implement their security protocols, and how they respond to data breaches and attacks.
In a 2021 study, Pondurance surveyed IT, cybersecurity, and privacy professionals at hospitals to better understand their challenges and needs. The study identified the top four cybersecurity challenges anticipated by these professionals as: selecting the right cybersecurity technology, hiring qualified cybersecurity staff, selecting the right cybersecurity service providers, and establishing the right cybersecurity processes.
“The effect of cyberattacks can be greatly reduced by strong security operations,” said Lyndon Brown, Chief Strategy Officer at Pondurance. “Mature detection, response, and prevention operations stop and reduce the impact of incidents. Like any other function, it’s really about the right team, methodologies, and innovation. Security must keep up with the digital progress of healthcare organizations as they aim to address modern patient needs.”
Analyzing the impact of cyber risks
Cyber risks at healthcare organizations impact everything from operating budgets to privacy compliance to patient care. Potential cyberattacks have been the area of greatest concern for hospitals during and after the pandemic, according to a Pondurance study. As a result, hospitals have focused on maturing their cybersecurity infrastructure and investing in people, processes, and technology. The study showed that 52% of respondents increased monitoring, 52% increased investment in cybersecurity tools, and 50% increased their staff. Many healthcare organizations work with a third-party vendor, such as a managed detection and response provider, to help minimize their cyber risks.
“Healthcare organizations are not in the business of cybersecurity,” said Lyndon. “However, patient care and safety can be impacted by cyber threats. Partnering with a provider who offers 24/7 security monitoring and expertise is the most effective way for such organizations to augment in-house capabilities.”
Assessing workforce shortages
Industries worldwide are facing a shortage of cybersecurity talent. More than 1.14 million cybersecurity employees work in the United States, but the workforce needs to increase by 65% to properly defend against cyber threats, according to the (ISC) 2 2021 Cybersecurity Workforce Study.
Healthcare organizations are no exception to the talent shortage. Lack of cyber workers makes it hard for healthcare organizations to build and keep in-house cybersecurity teams, at a time when having talented professionals is of utmost importance. Under the proposed bill, CISA and HHS will assess the workforce shortage, including training, recruitment, and retention issues, and make recommendations.
“It is increasingly difficult to find, attract, and retain cybersecurity talent,” said Lyndon. “This is most difficult for small and midsize organizations due to budget limitations. For the cost of a single full-time employee, a healthcare organization can initiate 24/7 monitoring, removing blindspots and lowering risk.”
Data breaches and cyberattacks at healthcare organizations continue to threaten sensitive patient data, healthcare delivery costs, and patient health and safety. However, if passed, the Healthcare Cybersecurity Act of 2022 could be a step forward in helping healthcare organizations better understand and manage their cybersecurity challenges, risks, and workforces.