The healthcare sector in the United States is facing a significant cybersecurity challenge, with systems experiencing varying levels of vulnerability to cyberattacks. Despite efforts to address these vulnerabilities, many hospitals remain unclear about the specifics of their susceptibility to such attacks. A substantial concern is that many systems are struggling to meet even the minimal compliance requirements due to limited resources and support, creating a fertile ground for cybercriminals.
- The Change Healthcare cyberattack this year has already cost UnitedHealth approximately $900 million and impacted nearly one-third of Americans.
- A May cyberattack at Ascension led to postponed surgeries, canceled appointments, and diverted ambulances.
- HCA Healthcare witnessed a data breach affecting 11 million patients, marking the largest breach in a year with 725 such incidents.
The persistent nature of these attacks is partly attributed to hackers using new technologies, including AI, to develop more sophisticated tactics. In response, public and private sectors are urging healthcare systems to strengthen their defenses. Notably, insurers now require hospitals to enhance their cybersecurity to maintain coverage. Furthermore, the administration has earmarked $800 million for cybersecurity in the proposed FY2025 Health and Human Services budget.
New York has taken the lead as the first state to introduce regulations that exceed federal mandates, requiring healthcare systems to perform annual risk assessments and establish comprehensive cybersecurity programs. These regulations also stipulate that hospitals employ at least a part-time Chief Information Security Officer (CISO).
The sector faces considerable obstacles, including budget constraints, a shortage of qualified cybersecurity professionals, and workforce retention issues. A HIMSS survey indicates that 74% of healthcare entities find it challenging to recruit qualified professionals. Additionally, 43% of respondents lack sufficient budgets for the needed staff.
Another significant aspect is the vulnerability arising from third-party vendors. Many attacks occur indirectly through these vendors. To mitigate this risk, healthcare organizations need to engage in rigorous vendor risk assessment, focusing on cybersecurity protocols and adapting practices to include security evaluations in procurement processes.
Given the narrow operational margins of healthcare systems, funding for cybersecurity often competes with other priorities, sometimes resulting in ad hoc responses that leave critical gaps. Many healthcare providers find useful alliances with cybersecurity firms that specialize in risk management and can offer a comprehensive view of organizational risks and solutions.
The growing wave of cybersecurity regulations coupled with ever-evolving threats makes it crucial for healthcare institutions to take decisive action to safeguard not only their own interests but also those of their patients and partners. For a more detailed exploration of this topic, the full article can be accessed at MedCity News.