5 Crucial Ways to Drive Urgency Around Cybersecurity Remediation

Navigating cybersecurity in a healthcare organization can feel like being a lookout aboard the Titanic: you can see the iceberg coming, but how do you convince the captain to change course? 

This blog offers insights to help leaders clarify the true threat of cyberattacks and build urgency within the c-suite. With a deeper understanding of the communication challenges and a robust business case for remediation, we provide everything you need to unlock a larger remediation budget and avoid catastrophe in 2024. 

Expect to learn: 

• Why healthcare organization routinely underfund remediation efforts 
• Actionable tactics to unlock a stronger remediate budget 
• Which tools will best support and accelerate remediation 

3 Obstacles to Acquiring a Solid Remediation Budget 

Given the potential cost of a cyberattack, you might expect healthcare executives to urgently prioritize fixing vulnerabilities. But in reality, efforts to promote remediation constantly come up against a few common obstacles: 

1. Limited Cybersecurity Budget 

The primary barrier to investments in remediation is the shockingly small budget available for all cybersecurity activities. Just 6% of Healthcare IT budgets is devoted to security, which speaks to a systematic underestimation of the harms associated with cyber risk. 

As a result, allocating a large enough budget to effectively remediate existing vulnerabilities feel like an unnecessary or avoidable expense – and many executives prioritize reducing their margins.  

2. Competing Priorities 

Healthcare Chief Information Security Officers (CISOs) routinely have upwards of 70 projects in the works at any given time. They could be involved with introducing new software solutions whilst also navigating third-party vendor assessments. With the added pressure of staffing shortages, it becomes difficult to know which projects to prioritize – and this often leads remediation to be sidelined.  

An important factor here is cultural inertia. Many organizations assume that remediation can’t be that urgent – because they haven’t experienced any major disruptions in the past. This makes it difficult to justify dedicating more of your already-too-small budget to remediation. 

3. Difficulties Communicating Risk 

Cybersecurity has two important factors working against it: the abstract nature of the threat and the sheer complexity of the subject. These two factors make it difficult for leadership to grasp the dangers and understand the urgency of remediation – leaving many IT security leaders feeling like “lone rangers”. 

The result? Research finds that healthcare boards are less likely to consider cybersecurity a priority than other industries – and directors in healthcare facilities are less likely to claim a strong understanding of systemic risk. And while security leaders try to frame the problem in a way that decision makers understand, it is usually an uphill battle. 

What ties these three obstacles together is a lack of understanding. Leaders don’t have clarity on the risks or dangers involved in a poor cybersecurity posture – which means the key to unlocking the budget you need for fast and effective remediation is creating a sense of urgency across the entire organization. 

5 Tactics to Unlock a Larger Cybersecurity Remediation Budget 

1. Make the Risks Concrete 

Many executives experience cybercrime as an abstract concept – which feels inherently less urgent than the kinds of risks (patient health, financial) they are used to dealing with. But this can be tackled in two ways: 

First, attach concrete numbers to the risk associated with cybercrime. For example, many executives will be shocked to learn that 55% of healthcare organizations experienced a third-party breach in the last year alone – and the average cost was $10.1 million. Similarly, executives may assume training is not a major priority, but research suggests that between 88-95% of data breaches are caused by human error – and could therefore be avoided with proper training. 

Second, make specific cyber risks more vivid by providing real-life examples. The HHS’s “wall of shame” is helpful here: it documents all healthcare breaches and explains where the breach took place. Not only does this help demonstrate the reputational risk of delaying remediation – it makes clear just how common cyberattacks really are. 

2. Map Your Risks 

Another obstacle to unlocking budget for a cybersecurity remediation is a lack of confidence about how large the budget should be. Security leaders should therefore provide clarity by mapping the risks your organization currently faces and the potential consequences associated with them. This will not only help reframe remediation as a relatively small investment, but it will also give confidence that the remediation has been carefully thought out. 

There are three factors to consider here: 

1. Quantification of risk. Can you put a specific number of the a) the amount of vulnerabilities within your organization and b) the expected cost of an attack or data breach? 
2. Relevance of risk. Can you find examples of PR crises or large fines that occurred to organizations like yours? This leaves no room to rationalize why the same thing couldn’t happen at your organization. 
3. Timeliness of risk. Can you build a case for why this risk is imminent?  
4. Leverage Culture  

You only have to Google “healthcare data breach” to see the profound reputational damage inadequate cybersecurity posture can cause. This forms a crucial aspect of the argument for unlocking a remediation budget, because a negative reputation costs your organization heavily in the form of human capital expenses.  

Such reputational damage can result in: 

• Lower patient acquisition, as new patient no longer trusts your organization with their data 
• Low employee morale, when employees feel they are working for an organization that is looked upon negatively 
• Recruitment challenges, where top talent no longer wants to be associated with your organization 
• Disruptions to payroll, where providers are unable to process insurance claims and rack up large backlogs of overdue payments – and the provider often has to absorb the cost of being unable to collect. 

For most healthcare organizations, these may already be pain points. An effective strategy here is therefore to a) quantify the existing cultural and staffing challenges your organization faces, and b) explain how the reputational harm involved in a data breach would exacerbate those challenges.  

4. Present Solutions  

It is difficult to commit to the remediation process if it appears too challenging. Executives might as well understand the vulnerabilities they face, but without a set of actionable solutions, they are liable to feel helpless. 

The key is to present a plan of action that covers three essential bases: 

1. It is concrete. You can explain exactly what needs to be done, how it will be achieved and when each vulnerability will be fully remediated. This should ideally be presented in a document that executives can look over in their own time to build confidence and establish transparency. 
2. It is costed. You can provide a breakdown of the financial implications with evidence that this is the most cost-efficient way of doing things properly.  
3. It is comprehensible. You can present the plan in a way executives grasp immediately and can see the business case for. 

5. Introduce the Right Tools 

Both executives and employees struggle to navigate the sheer complexity of cybersecurity remediation. From managing multiple disparate data sources to keeping track of several remediation tasks simultaneously, the process can go overbudget or be heavily delayed if you don’t put the right tools in place ahead of time. 

That is why Integrated Risk Management (IRM) has become so popular within healthcare organizations. IRM software enables you to gain full visibility of your risk, track costs and see the impact of the process on your organization’s finances – all in one place.  

But which solution will best serve your needs? 

Intraprise Health’s IRM software is the most robust and comprehensive solution on the market. It pulls all the results from every type of cybersecurity assessment you’ve run into a single platform, allowing you to: 

• Create a centralized view of all existing vulnerabilities and understand their impact 
• Prioritize remediation tasks 
• Track remediation progress 

We also offer free remediation consultations to help you plan your process and choose the most impactful tools.  

Need help planning your remediation? Contact us to get started.

About the Author

Scott Mattila, CSO, Intraprise Health

Scott Mattila is the Chief Security Officer at Intraprise Health. He has held leadership positions at some of the country’s most prestigious institutions, and is currently an adjunct professor and serves on the Dean's advisory board at Duquesne University's Rangos School of Health Science.

Subscribe to the Blog