The past few years have emphasized just how important cybersecurity is. As cybercrime reached record heights and more companies went digital, industries realized their current security efforts fell short. Healthcare is a prime example.
The medical sector has had the second highest number of data breaches of any industry for more than five years. This became increasingly noticeable in 2019 alone, when the industry experienced 525 data breaches, up from 369 the year before.
The COVID-19 pandemic only worsened this issue. The last two years saw more than 870 data breaches affecting 500 or more patients’ health information. Cybersecurity budgets in this sector need to be bigger.
Cybersecurity Threats Facing HealthCare
A few specific risks pose the biggest threats to the medical industry. As is the case with many sectors, the most common cybersecurity threat facing healthcare is human error. Non-malicious misuse of company systems and employees falling for phishing attacks are common security issues across medical organizations.
In some cases, this is as simple as an employee clicking a wrong button or overlooking a step, accidentally exposing sensitive data. However, the implications are often far more severe. Healthcare professionals aren’t usually cybersecurity experts, and many fall for avoidable phishing schemes, leading to more dramatic instances of cybercrime.
One of the most concerning of those more severe threats is ransomware. At least 91 health organizations suffered ransomware attacks in 2020—almost double the 2019 figure. These attacks affected the data of more than 18 million patients and cost $9.42 million on average.
These cybersecurity threats have risen so quickly because of two main trends. First, healthcare companies are rapidly digitizing, so their technology adoption is outpacing their security maturity. Secondly, the pandemic has emphasized just how valuable medical data is, and cybercriminals have noticed.
Current Efforts Are Not Enough
Despite how widespread and evident this issue has become, the industry hasn’t put much money towards fixing it. Only 22% of IT managers in healthcare are confident that their organization is giving them enough funds to secure their systems.
Budget data reflects this. While 59% of healthcare organizations plan to increase their cybersecurity budgets this year, these changes are relatively small. Most of those that plan on raising these budgets will only do so by less than 10%, and only 11% plan to increase it by 25% or more.
Hospital cybersecurity spending typically only accounts for 5% of the overall IT budget. A meager 9% increase with figures like that translates to a fairly insignificant change. If the medical industry keeps accelerating new technology adoption at its current pace, these marginal budget increases won’t do much to protect them.
Where HealthCare Organizations Can Go From Here
Part of the reason why healthcare providers aren’t increasing their cybersecurity budgets as much as they should is simply because it’s challenging to do so. While 73% of medical decision-makers recognize the need to increase cybersecurity spending, only 40% believe they can.
Securing cutting-edge medical equipment can be expensive, and not all healthcare providers can afford to implement the latest defenses. Thankfully, some steps can help them become safer despite tight budgets.
One of the most significant security improvements healthcare organizations can make is also the cheapest: training. Human error is the leading cause of medical data breaches, and the best way to prevent this is with knowledge. If healthcare providers taught their workers the best security practices and regularly emphasized their importance, they could possibly prevent or at least reduce the number of many breaches.
Studies show that training pays off, too. According to KnowBe4’s security awareness report, employees who trained once per month were 34% less likely to click on suspicious links or attachments compared to those who received training no more than twice a year.
Of course, training is only part of the equation. The growth of the cyber-insurance industry may help, as it mitigates the cost of data breaches. One could effectively posit that when healthcare providers lose less money from these incidents, they will understand the value of and dictate more to spend on cybersecurity.
These organizations can also apply some technical management changes. Segmenting networks and restricting access will reduce many risks. Often, these changes are just a matter of a system configuration change. This step will prove particularly important as hospitals increase their internet of things (IoT) adoption.
The savings from reduced breaches will eventually pay off any budget increases for better security. This shift may take a while, but if more healthcare providers recognize it, they may be more willing to invest in better protection.
The Medical Industry Needs Better Security
Healthcare today faces many stresses, and cybersecurity is one of the most prominent. When providers see how big this issue is, security budgets could start rising, and the cybercrime epidemic will fade. The industry will likely never be fully rid of cybercrime, but increasing their security spending is a good place to start.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
