Protect patients and their data while minding your budget
In the worst cases, cyber incidents at healthcare organizations can be a matter of life and death, and ransomware extortionists seem to understand how this urgency can help them get paid.
Large breaches of healthcare organizations reported to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights rose from 369 in 2018 to 712 in 2022, with a 278% increase in ransomware incidents. As more organizations move toward digital recordkeeping, the severity and sheer volume of records lost or stolen have been continuously on the rise. In 2023, over 26 data breaches of more than 1 million records, including four data breaches of more than 8 million records, were reported, according to the HIPAA Journal.
“While increased controls around accurate tracking of electronic devices and adoption of data encryption preceded a downward trend in improper disposal incidents and unauthorized access or disclosure incidents, data breaches continue to increase due to innovative techniques and advanced toolsets easily available in the market that exploit vulnerable systems,” said Grant Thornton Risk Advisory Managing Director Vikrant Rai.
“Data breaches continue to increase due to innovative techniques and advanced toolsets…that exploit vulnerable systems.”
In some circumstances, patients have experienced delayed medical procedures, electronic system downtime, cancellations of scheduled care, diversions to other facilities and other care disruptions as a result of these incidents. Even when patient care is not affected, a healthcare cyber incident can result in the theft of extremely sensitive patient data, with additional time-sensitive consequences that may directly affect patient lives.
These outcomes have attracted serious regulatory attention from HHS, which released a concept paper in December outlining its strategy for strengthening cybersecurity in the healthcare industry. While the measures proposed by HHS aren’t final and some healthcare organization advocates are pushing back against some items in the proposal, the regulatory pressure adds even more urgency for strong cyber protections in the sector.
At the same time, healthcare organizations’ cybersecurity budgets are not unlimited, but they have been rising, according to a Healthcare Information Management Systems Society survey report. Of the respondents to that survey who were sure of their budget plans and outcomes, 62% said their cybersecurity budget would increase in 2023 over the previous year, and 67% said their cybersecurity budget had risen in 2022. Meanwhile, healthcare organizations are continuously implementing more technology for everything from operations to customer care, which changes the cybersecurity landscape.
“ If you add more technology, you add more risk. The footprint for attacks is vast, and cybersecurity strategies should be comprehensive and implementable.”
“If you add more technology, you add more risk,” said Grant Thornton Healthcare Industry Principal and Growth Leader Claudia Douglass. “With the addition of more cameras, audio and AI in care venues, as well as electronic health records and CRM and billing systems, the footprint for attacks is vast and cybersecurity strategies should be comprehensive and implementable.”
Amid pressure to tighten controls and manage spending, healthcare organizations are in a difficult spot related to cybersecurity as the emergence of specialty centers increases competition and pressure in the industry and innovative products from technology sectors and innovative digital healthcare solutions alter care options.
Getting maximum return on cybersecurity investments is essential as hospitals and healthcare providers work to protect their patients while providing the high-quality care that is the essence of the industry’s mission.
The cost of security
Data is a growing part of the proprietary value in companies today, so data security is essential. But it can also be expensive. How much do you need?
“You can reduce cybersecurity cost, and improve response and operations, at the same time.”
“You could potentially spend a huge amount of money on cybersecurity, but it might not be the best decision for your organization,” said Grant Thornton Cyber Risk Advisory Services Managing Director Don Sheehan.
To optimize security, you need more than just spending — you need strategic spending. “You can reduce cybersecurity cost and improve response and operations at the same time,” Sheehan said. “It takes some management direction and dedication, but you can actually reduce your spending and improve your effectiveness. It really is possible.”
As digital threats continue to grow, it’s important to get the most out of your cybersecurity investment. In a recent Grant Thornton webinar, more than 700 attendees from across the industry spectrum indicated that cybersecurity automation, processes and strategy held the greatest opportunity for improved returns.
Related resources
Strategy
Improving the patient experience is the top priority for growth in the healthcare industry, according to Grant Thornton’s recent survey of healthcare CFOs. A positive experience on such a critical issue as a patient’s health, data security and privacy can create loyalty and strong relationships that may last a lifetime.
The most common answer to a question in the same survey asking for open-ended responses about decisions that drive growth was the word “technology.” Through innovative, appropriate use of technology, healthcare organizations have the potential to improve consumers’ experiences and build that all-important loyalty.
But new technology offerings can also lead to cybersecurity gaps that bad actors can exploit. Many organizations plan cybersecurity based on technical factors, without adequately considering their business goals. Likewise, many organizations make business decisions without adequately considering cybersecurity implications.
“We want to make sure that cybersecurity and the business are aligned,” Sheehan said. “People have talked about this for years, but we really need to build that bridge right now. We need to make sure that we're aligned in the right direction and supporting the business as it moves forward. Whether it's the primary goal of the business, a supporting goal or internal functions, there are different IT and security functions that can align there.”
“Securing everything” is expensive, slows response time, and creates constant alerts that make it more difficult to spot real threats. Instead, make sure you set priorities in line with the business goals. In business terms, your cybersecurity spending should focus on reducing the risks and empowering efficient responses that are most important to maintaining secure business operations. This risk management perspective can help you understand how to balance costs. It can also help you set priorities for the data, assets, people, processes and technologies involved.
Data management
Healthcare organizations hold more sensitive information on their customers than just about any other industry. In addition to personally identifiable data, healthcare providers hold information on insurance, personal financial measures, health histories, prescription drugs, lab tests, diagnoses and treatment that demand the utmost care.
This data is so important that federal requirements for maintaining the privacy of that data are included in the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). And newly passed state laws in some states, as well as federal agencies, are bringing more companies into the scope of health data privacy requirements.
Many healthcare organizations have turned to the HITRUST Assurance Program to address and mitigate their information security risks. But as organizations acquire new solutions and data, many adapt their cybersecurity processes along the way. This can lead to a disjointed cybersecurity strategy that sets the wrong priorities or even leaves unprotected gaps. Effective and efficient cybersecurity needs to align with your business data priorities. “Do an analysis of what you have, and then you can prioritize data in different categories for each level of data and the metadata that goes with it,” Sheehan said.
In a recent Grant Thornton webinar, most attendees indicated they had not integrated a data assessment into their security operations.
“Everyone’s at different stages, but relatively few have actually done the full data assessment and integration,” Sheehan said. “You need to understand that this can impact your data privacy as well, especially if you're subject to data privacy regulations.”
Organizations need to understand where data resides, what restrictions should apply and what the priorities are for the business. This is important not only for security but also for programmatic efficiency. Sheehan recalled one organization that chose not to do a data assessment because it deemed the assessment would be too expensive at the time. “I watched them spend about 10 times that amount over the next few years, protecting everything instead of putting things into categories and protecting the right information. It’s actually a huge way to save money — to know what you have, know where it is, know where those data points come together.” The risk of a breach may also be higher if you don’t have an assessment to guide your cybersecurity plans.
Asset management
Effective asset management can enable quicker cybersecurity incident analysis and response, while helping to reduce costs.
“Asset management, while not a cyber function, is key to cyber success. Not everything that improves your cybersecurity has to come from your cyber dollars,” Sheehan said. Asset management tools provide insight into your number of users, assets and other accounts. “It makes sense to reduce the unused accounts, assets and devices, which can reduce your software licensing costs — and your attack surface.”
The more assets and accounts you have live, the more targets for a cybersecurity attack. Unused accounts can be especially dangerous, since new activity might go unnoticed. It’s also important to know where you have old systems or software. “Fairly often, teams will find a threat and release a fix that works for recent versions, like Windows Server 2019 and newer,” Sheehan said. “But what about Windows 2016 servers? How many of those do you have? Or, how many iPhones have access to your environment that are on Version 16 or lower? What system would you have to figure that out?”
Most organizations ultimately need to track a range of various assets and platforms, including various versions — and Sheehan said this diversity can be a good thing. “One answer for asset management is to try to deploy the same device to everybody. But nature usually don’t like a monoculture, and bad things can happen when there’s no diversity. If you have only one operating system, and ransomware or other malware infects that, you may not be able to get into your other SaaS-based tools at all. You may not be able to manage it.”
Sheehan said that a diversity of roles can help improve your cybersecurity, too. “Having different people looking at cybersecurity from different perspectives, seeing different aspects, is fantastic.”
People management
Since everyone plays a role in cybersecurity, it’s important to manage those roles.
“Almost everybody in an organization deals with some relatively sensitive information, to one degree or another,” Sheehan said, including:
- End users: The vast majority of employees interact with sensitive information on a daily basis.
- Executives: Leaders are at a higher risk for phishing, since they are often considered most likely targets.
- Developers/clinicians/sales/HR/Finance/Internal audit: These teams are outside of cybersecurity but have a special duty to protect sensitive information.
- IT staff: IT admins have privileged-access accounts that can potentially halt business operations.
- Cybersecurity teams: Apart from operations, these teams also include architecture, policy/governance, identity/access management, privacy, and third-party risk.
People in key decision-making roles should participate regularly in scenario-planning exercises that will help them understand what actions they should take if a cybersecurity incident occurs.
“As a prior chief operating officer, my responsibility was to ensure our environment of care drills were conducted regularly, including for cybersecurity incidents. Cybersecurity can be a scary word for clinical and support staff, so it’s crucial that they become more familiar with what to do in an emergency when electronic systems are corrupted or unavailable,” Douglass said.
It’s important to understand the full scope of an employee’s access, because with access comes the potential for mistakes. In a recent Grant Thornton webinar, attendees indicated that accidental employee actions are actually their top cybersecurity concern.
“If you look through annual reports on cybersecurity, accidental employee actions are really key,” Sheehan said. That’s because a lot of cybersecurity really depends on small decisions — the decisions that employees make every day. “The core aspects of cybersecurity hygiene really might have the most pervasive effect on your overall security,” Sheehan said.
“Washing hands is one of their most effective ways of limiting infection spread within the hospital,” Sheehan said. “It could be odd to think something that fundamental wouldn't require something technical, like UVC light, but no. It’s about doing the basics — things that really help at the base level.”
Basic cybersecurity hygiene can have the most pervasive effect across the organization, so it’s important to monitor that effect. “There are a lot of things that the cybersecurity team needs to monitor, but they don’t manage or own,” Sheehan said. “Where are all of these things? What is the data you’re monitoring? How are you going to get that data into a place where a group of people can look at it, understand it and provide a context-based and risk-based analysis of what's going on?”
To effectively monitor, manage, maintain and champion cybersecurity that efficiently enables your business goals, you need a central authority that drives, and even automates, the processes behind your cybersecurity strategy.
Insights on this issue from other industries
Processes and automation
A persistent cybersecurity danger in the healthcare industry arises from medical devices that need to be connected to third-party providers who enable them to operate while also being connected to the system of a healthcare provider who is tracking the data to determine patient health outcomes.
This interconnectedness provides a vulnerable entry point for an intrusion or cyber incident in a healthcare system. These gaps may be discovered more consistently through the establishment of a security operations center (SOC) that can consolidate the ongoing management of your cybersecurity strategy. The SOC can provide 24x7 monitoring of processes, overseeing cybersecurity priorities for data, assets and solutions. The SOC can further analyze centralized activity in a security information and event management (SIEM) tool, to assess risks and initiate actions. SOC areas of interest include:
- Data priorities: Your SOC should know where the “keys to the kingdom” data resides, along with other data priorities, to coordinate effective and efficient protection.
- Shadow IT: New solutions can appear in the organization. “People often say ‘I want to try out an AI product,’ or ‘I want to use another solution instead of the enterprise standard,’” Sheehan said. “Or, they want to use personal accounts to get into an online tool where they upload data that might include intellectual property. They have a reason, but that doesn't mean that it makes sense and is a good business practice for the organization.” Your SOC can also help spot when these solutions, and their associated risks, arise.
- Solution design: Your SOC can help inform your organization’s solution architecture and engineering, helping to ensure alignment with the organization’s business goals and risk management.
- Cybersecurity incident telemetry: As your SOC monitors your SIEM and other tools, it can assess and prioritize the events and alerts, taking action and identifying opportunities to automate actions in the future.
“There are basic things that that the SOC should do to be helping the organization, not just a cost center,” Sheehan said. “Security operations should not be the star of Dr. No. When other teams ask the cybersecurity team for something, the first answer should not be ‘No.’ That's an old-school approach that doesn't make sense. That's not a business enabler, and it just doesn't work. That's a failure.”
Process alignment
One of the ways that the SOC can help drive business value is by centralizing and coordinating processes.
“You need to have everything in the right place, everything coming together so you can see the big picture, have context for what's going on, and make good analyses of what's going on with what is risky and what is not,” Sheehan said. That might sound like an expensive endeavor, but it usually means coordinating existing activities both inside and outside of typical operations:
- Solution development: “We reduce risk by designing secure systems. You reduce cost by designing secure systems. You reduce both by considering security up front,” Sheehan said. Solution development and IT architecture and engineering typically approach solutions from the perspective of making sure they’re available, stable and providing service. Cybersecurity priorities are typically confidentiality, integrity and availability. These overlap, but they are not entirely the same, and it’s important to integrate security into the early stages of solution design and development.
- Solution procurement: The procurement and finance teams need to be coordinated with IT and cybersecurity, to help ensure that new purchases or contracts are aligned with an efficient cybersecurity strategy and support. “With the move from on-premise to cloud technology and new point solutions for care automation, such as the intelligent hospital room, analytics and care management tools, there are a lot of new purchases of technology in healthcare that need to be addressed strategically and operationally,” Douglass said.
- Identity and access management (IAM): Your organization’s IAM might be managed by IT and audited by cybersecurity, or you might have another structure, but you need to centralize and monitor IAM information so that you can efficiently see if there are compromised accounts. You also need to reduce your attack surface by decommissioning accounts or systems when appropriate. “Please also remember, as you're reducing that number of users, to always have a break-glass function,” Sheehan said. “You need a way to get back in, in case other things happen with your IAM system. And your system should alert you if that account ever gets used.”
- Governance: The policy and governance teams have a risk management strategy that should be informed by, and coordinated with, cybersecurity needs. Data retention standards, for instance, need to be aligned with the right minimum and maximum timelines that allow for effective and efficient cybersecurity. Policies can also be important to help direct and authorize the organization’s actions. As your employees, contractors and other collaborators gain access to new technologies and solutions, make sure that you have policies in place to address any activities that put your organization at risk to authorize the appropriate action.
- Internal audit: The internal audit should play a central role in assessing your IT risks, including your cybersecurity risks. The internal auditors usually start by evaluating the organization’s policies but, even when policies exist, they need to go further to ensure that they are being followed. Internal audit teams should consider taking a holistic approach and taking a step further to evaluate cybersecurity controls including technical testing as a component of the testing approach to evaluate the effectiveness of control design and operating effectiveness.
- Training: Training can be at the center of driving cybersecurity hygiene, across the organization’s workforce, in an ongoing way. “That human firewall is important — make sure that people have an idea of what to do,” Sheehan said. “You won't stop every click, but you want to make sure they understand the threats and have an awareness.”
Even with an SOC and effective cybersecurity processes in place, a growing number of organizations are also getting cybersecurity insurance. These insurance providers typically require cybersecurity audits and a framework of cybersecurity standards, which can help enforce compliance across the organization. The standards can help identify issues that the organization might not have been monitoring, and compliance is usually tied to the cost of the insurance. So, better cybersecurity can be directly tied to cost savings.
“One key piece is that whoever signs up for that insurance — the CFO or COO office — needs to communicate with the CIO, CISO, IT and cybersecurity teams about who has it, what it covers and the other details,” Sheehan said. “Often, executives tell us that they have it, but others on the executive team don't know about it and have no idea what the coverages are.” It’s also important to note that policies might have preferred providers and might not cover work from other providers at the same level.
It can even be important to call your cybersecurity insurance provider in the midst of an attack. “They can often help negotiate with the attackers, especially if it's ransomware,” Sheehan said. “They can help negotiate that down because the insurer's paying it, so it's in their best interest.”
Effective process alignment can help you improve security while also saving costs. Plus, when an SOC can look at centralized processes, it can more effectively identify tasks that are standardized, repeatable and time-consuming. These can be excellent candidates for automation.
Automation
The growing complexity of cybersecurity for AI solutions and other evolving technologies have pushed some organizations to consider automation. Many have considered or implemented security orchestration, automation and response (SOAR) tools, but it’s important to recognize that these tools, or any automation, will still require some coordination and work from your teams.
“Be aware that automation is going to take some engineering resources,” Sheehan said. “That's not bad — it's just that you want to make sure you're doing a full cost/benefit analysis as you consider it.”
Well-planned automation can save significant cybersecurity costs over time. To analyze your opportunities for automation and plan the right approach, consider the following factors:
- Complexity: There will be process exceptions, architecture limitations, business requirements and other complexities that limit which processes are candidates for automation, so plan to analyze and understand those before you plan the areas to automate.
- Budget: Automation (especially an initial implementation) will typically require engineers, analysts or both. It’s important to budget for and allocate the right number and ratio of knowledgeable resources to achieve success.
- Customization: SOAR tools have significant potential, but they can require implementation or customization that you should anticipate in your planning. They also might require time to build a baseline of normal activities so that they can provide valuable feedback about anomalies.
The best opportunities for automation are often in the ongoing analysis of alerts or threats as they come in. From there, you can consider whether there are repeatable actions that are also candidates for automation.
“You can really make sure that the alerts which come up for humans to review are really the important things that are anomalous, or take some fuzzy logic or complex correlations to evaluate,” Sheehan said. “That's what humans are good at doing. We can pick out and remember disparate things, and it can be hard to automate that.”
Research and development opportunities, emerging regulations and the implementation of expensive technology have all led to huge cost increases throughout the healthcare industry, as $13,493 per person was spent on health care services in 2022, according to the Centers for Medicare & Medicaid Services.
In cybersecurity, cost can be a complex issue. However, it’s important to recognize that streamlined efficiency can both save costs and improve the organization’s security. To explore those opportunities, you need to start with a discussion.
If you're not a cybersecurity expert, ask about some of the core strategic, process and automation concepts to bridge the gap. Understand that cybersecurity is about reducing risk and setting the right priorities.
“Your cybersecurity is not set up to block everything,” Sheehan said. “It’s similar to physical security. We don't know who's stealing Bob's sandwich out of the company refrigerator, because we don't have physical security standing at the refrigerator checking on sandwich access. IT is going to be the same way. Nobody's going to advocate spending $200 to protect a $100 asset. It breaks logic at that point. However, you need to know exactly where you’re spending your money, how you're securing your organization and how you’re enabling the business operations.”
Your cybersecurity strategy, processes, automations and costs don’t necessarily need to be larger. They need to be right-sized, coordinated and focused on the right areas. They need to be part of everyone’s cybersecurity hygiene. “That’s the human firewall. You need your people to be helping you do this,” Sheehan said. “Let's make sure we right-size effective cybersecurity for the organization.”
Content disclaimer
This Grant Thornton Advisors LLC content provides information and comments on current issues and developments. It is not a comprehensive analysis of the subject matter covered. It is not, and should not be construed as, accounting, legal, tax, or professional advice provided by Grant Thornton Advisors LLC. All relevant facts and circumstances, including the pertinent authoritative literature, need to be considered to arrive at conclusions that comply with matters addressed in this content.
Grant Thornton Advisors LLC and its subsidiary entities are not licensed CPA firms.
For additional information on topics covered in this content, contact a Grant Thornton Advisors LLC professional.
Learn about cybersecurity ROI in other industries
More healthcare insights
No Results Found. Please search again using different keywords and/or filters.
Share with your network
Share