Every
healthcare
system
in
the
United
States
has
its
own
level
of
vulnerability
to
cyberattacks.
And
each
system,
to
the
degree
its
resources
and
perception
allow,
is
trying
to
eliminate
those
vulnerabilities.
But
many
hospitals
don’t
have
a
clear
picture
of
where
and
how
they’re
susceptible
to
attacks.
Systems
struggle
to
meet
minimum
compliance
requirements
while
lacking
the
resources
or
support
to
implement
broader
cybersecurity
measures.
As
a
result,
cybercriminals
are
breaching
the
walls
with
alarming
frequency.
Consider:
-
The
Change
Healthcare
cyberattack
earlier
this
year
has
cost
parent
company
UnitedHealth
$900
million
and
affected
nearly
a
third
of
Americans
directly
or
indirectly
-
A
May
attack
compromised
healthcare
at
Ascension,
including
postponed
surgeries,
canceled
appointments
and
diverted
ambulances
-
An
HCA
Healthcare
data
hack
that
affected
11
million
patients
was
the
largest
in
2023,
a
year
that
saw
a
record
725
breaches
Healthcare
providers
and
vendors
are
learning
the
hard
way
that
hackers
are
relentless
and
resourceful,
constantly
adjusting
tactics
and
tools
and
using
new
technology,
including
AI,
to
launch
more
sophisticated
attacks.
Hospital
defenses
typically
lag
behind.
Cyber
defenses
that
worked
a
few
years
ago
are
no
longer
adequate.
Often,
targets
are
unclear
about
where
and
how
to
upgrade
their
protection.
Public
and
private
measures
Alarmed
by
the
attacks,
the
public
and
private
sectors
are
pressing
healthcare
systems
to
do
more.
Insurers
who
sell
cyberattack
insurance
are
insisting
hospitals
shore
up
defenses
or
lose
coverage.
The
administration
is
allocating
$800
million
for
cybersecurity
in
the
proposed
FY2025
Health
and
Human
Services
(HHS)
budget.
In
addition,
there
are
separate
healthcare
cybersecurity
bills
in
the
House
and
Senate.
The
Senate
measure
would
penalize
systems
that
fail
to
improve
their
defenses.
New
York
is
the
first
state
to
regulate
cybersecurity.
Its
new
requirements
require
hospitals
to
enact
data
protection
beyond
what’s
mandated
by
the
federal
Health
Insurance
Portability
and
Accountability
Act
(HIPAA).
They
require
healthcare
systems
to
conduct
an
annual
assessment
of
potential
risks
and
vulnerabilities
and
establish
a
cybersecurity
program
based
on
that
audit,
including
provisions
for
reporting,
countering
and
recovering
from
a
data
breach.
In
addition,
hospitals
must
have
a
part-
or
full-time
chief
information
security
officer
(CISO)
to
guide
and
support
cybersecurity
measures.
Underfunded
and
under
attack
Healthcare
organizations
cannot
afford
to
wait.
They
must
act
swiftly
and
continuously
to
fend
off
attacks.
However,
many
systems
do
not
have
the
necessary
budgets,
know-how
or
personnel
to
accomplish
everything
they
need.
Staffing
cybersecurity
teams
is
a
particular
problem.
According
to
a
HIMSS
Healthcare
Cybersecurity
Survey:
-
74%
of
respondents
said
recruiting
qualified
cybersecurity
professionals
was
a
challenge
-
47%
said
a
lack
of
cybersecurity
experience
or
skills
was
a
challenge
in
hiring
-
38%
said
a
lack
of
candidates
with
healthcare
experience
was
a
challenge
Along
with
a
shortage
of
qualified
candidates,
healthcare
organizations
often
do
not
have
the
budget
to
hire
them:
-
43%
of
respondents
said
they
do
not
have
sufficient
budget
to
hire
the
staff
they
need
-
28%
said
non-competitive
compensation
was
a
barrier
Inadequate
compensation,
stress
and
long
hours
contribute
to
a
retention
problem.
In
the
HIMSS
survey,
57%
of
respondents
said
retaining
qualified
workers
is
a
problem.
Cybersecurity
budgets
are
rising,
however,
which
could
relieve
some
of
the
problems.
Third-party
risk
management
The
attacks
are
not
going
to
stop.
Healthcare
organizations
make
tempting
targets
for
hackers
for
several
reasons.
They
hold
enormous
amounts
of
patient
data,
which
is
particularly
valuable
because
it
includes
both
personal
and
financial
information.
Also,
they
have
numerous
vulnerabilities,
internally
and
externally,
particularly
because
the
data
is
fragmented
and
held
in
multiple
locations;
and,
in
the
case
of
ransomware,
any
interruption
to
critical
operations
brings
to
bear
enormous
pressure
to
resolve
the
situation,
even
if
it
means
paying
a
ransom.
Hospitals
are
most
often
attacked
indirectly
through
third-party
vendors
whose
software
they
license.
It’s
extremely
difficult,
if
not
impossible
with
manual
methods,
for
healthcare
systems
that
work
with
hundreds
of
third-party
applications
to
be
sure
each
vendor
has
adequate
defenses
and
is
following
cybersecurity
best
practices.
Even
if
the
vendor
is
at
fault,
healthcare
organizations
bear
the
brunt
of
the
attack.
Fortunately,
there
are
ways
they
can
protect
themselves:
-
Risk
assessment
–
Mapping
the
vendor
network,
auditing
vendors’
security
processes
and
monitoring
their
security
posture
on
a
regular
basis.
-
Remediating
vulnerabilities
–
Fixing
vendor
vulnerabilities
identified
in
Step
1,
adjusting
liability
for
direct
damages
if
needed,
or
replacing
vendors
who
won’t
comply.
-
Adapting
practices
–
Putting
policies
and
procedures
in
place
that
continue
to
prioritize
third-party
risk
management,
such
as
integrating
security
reviews
into
the
buying
process
BEFORE
a
purchase
has
been
made.
The
need
for
outside
help
Healthcare
systems
operate
with
narrow
margins,
as
they
struggle
with
labor
costs
and
workforce
shortages.
In
this
environment,
funding
requests
to
bolster
cybersecurity
must
compete
with
other
priorities.
Hospital
boards
can
be
reluctant
to
allocate
funds
because
they
are
unaware
of
how
vulnerable
their
organizations
are.
The
result
is
often
a
patchwork
approach
to
cybersecurity
that
leaves
gaps
for
attackers.
And
the
approaching
wave
of
government
regulations
addressing
cybersecurity
will
add
to
the
financial
burden
on
hospitals.
Most
healthcare
systems
do
not
have
the
resources
or
expertise
to
deploy
reliable
defenses
and
stay
abreast
of
all
threats.
Many
find
it
more
efficient
to
partner
with
a
firm
dedicated
to
cybersecurity
and
risk
management
services.
Healthcare
cybersecurity
experts
are
familiar
with
hospital
technology,
business
practices,
interoperability
and
the
best
defenses
against
cyberattacks.
They
can
provide
organizations
with
a
comprehensive
view
of
risk
and
guide
the
creation
and
improvement
of
a
health
system’s
overall
cybersecurity
program.
They
also
help
identify
and
manage
third-party
risk
posed
by
vendors.
These
experts
can
give
healthcare
organizations
peace
of
mind
and
allow
them
to
focus
on
delivering
healthcare.
There
is
no
foolproof
safeguard
against
hackers,
but
healthcare
organizations
owe
it
to
themselves,
their
patients
and
partners
to
mount
the
best
defense
possible.
Photo:
anyaberkut,
Getty
Images
George
C.
Pappas
is
the
CEO
of
Intraprise
Health,
a
Health
Catalyst
Company,
and
a
seasoned
high-tech
executive
with
over
35
years
of
cross-functional
expertise
in
Sales
&
Marketing,
Professional
Services,
Operations,
Product
Management,
and
R&D.
He
previously
served
as
Chief
Customer
Officer
and
Chief
Operating
Officer
at
DrFirst,
where
he
significantly
expanded
the
customer
base
to
over
1,400
hospitals
and
100,000
prescribers
across
the
US
and
Canada.
George
has
a
proven
track
record
of
guiding
software
and
services
companies
from
inception
to
high-growth
stages,
including
Initial
Public
Offerings,
with
revenues
ranging
from
$5M
to
over
$100M.
Prior
to
DrFirst,
he
was
Chief
Operating
Officer
at
Motionsoft
and
served
on
their
Board
of
Directors,
as
well
as
Executive
Vice
President
and
Board
Member
at
Presidium.His
extensive
experience
spans
Healthcare,
Financial
Services,
Telecommunications,
National
Security,
and
Higher
Education.
George
has
led
R&D
teams
across
the
US,
India,
Russia,
Poland,
and
China.
He
is
active
in
CHIME
and
a
member
of
their
CFCHE
program.
George
also
holds
a
patent
in
sales
risk
management
and
is
a
graduate
of
Boston
University.
This
post
appears
through
the MedCity
Influencers
program.
Anyone
can
publish
their
perspective
on
business
and
innovation
in
healthcare
on
MedCity
News
through
MedCity
Influencers. Click
here
to
find
out
how.
Staci
Chris
Kathryn
