When a cyber-attack forced Change Healthcare to shut down 111 different services and pay a $22 million ransom in early 2024, it sparked enough outrage to prompt an investigation from Congress.
This was one of America’s largest health information exchange (HIE) platforms, responsible for roughly a third of the country’s medical records: how could a group of cybercriminals get inside their network?
But in truth, the real shock is not that such an event took place – it’s that so many healthcare organizations still believe a similar breach will never happen to them.
This article explores this attitude – which we term “reactive cybersecurity” – and presents a positive alternative.
Expect to learn:
- Why healthcare cybersecurity budgets are so small
- The average cost of a healthcare data breach
- How proactive cybersecurity does more than just protect your patient data
Reactive vs. Proactive Cybersecurity: What’s the Difference?
Reactive cybersecurity is commonly defined as an approach that waits until a breach has occurred to take action. It focuses on damage control and quick fixes to mitigate the fallout of system failures. However, it is better understood as a belief about the role of cybersecurity within organizations.
Organizations whose approach is reactive treat cybersecurity as a question of compliance. They don’t truly believe their system will be attacked and therefore view taking extra steps to uncover hidden vulnerabilities or gain voluntary certifications as an unnecessary expense.
This is the dominant mode in healthcare, which explains why the average healthcare organization still spends 6% or less of its total IT budget on cybersecurity. However, a growing number of organizations are moving away from this reactive approach and are embracing a proactive one.
Proactive cybersecurity treats safe IT systems as mission-critical and invests heavily in improved cybersecurity posture – regardless of the level of immediate perceived risk. Why would they do this? Because they understand that uncovering hidden vulnerabilities is essential for the long-term viability of a healthcare organization – and they are aware of the eye-watering costs associated with failing to address such weaknesses.
4 Ways Reactive Cybersecurity Puts Healthcare Businesses at Risk
Those “eye-watering costs“ manifest in multiple ways, often leading organizations to underestimate the true impact of an attack until it’s too late:
1. Financial Costs
Reactive cybersecurity leads to poor security posture – making it more likely an attack will be successful. Many organizations only consider the compliance fines this leads to – which are already high, given the sensitivity of healthcare data. But it’s important to note the:
- Cost of systems outages
- Expense of remediation efforts
- Damage of legal action from patients whose personal information has been compromised
- Impact of increased insurance premiums
- Scale of potential ransom payments
Overall, one estimate puts the average cost of a healthcare data breach at almost $11 million – more than double the average across all industries.
2. Reduced Trust
The perceived failure of a healthcare organization to protect its patient’s data has a lasting impact on trust. This impacts two mission-critical factors:
- Patient retention and acquisition: A reputation for mishandling or not adequately protecting sensitive data can lead existing patients to look elsewhere and make it harder to attract new patients.
- Staff retention and recruitment: Employees may find work elsewhere if they feel the organization doesn’t align with their values.
Of course, both also impact your long–term financial viability – further demonstrating how widespread the costs of a breach are.
3. Disabled Operations
A reactive approach to cybersecurity is likely to leave organizations less resilient in the face of an attack. They are less likely to have automated processes in place to deal with the threat and less likely to have well-oiled business continuity plans in place – leaving them in limbo during an incident.
Until the attack’s nature, compromised systems, and restoration timeframe are known, uncertainty around resuming normal operations damages both the entity’s and affected third parties’ public perception – as well as compromising patient care.
This is exactly what happened to Change Healthcare: some larger healthcare providers were reportedly bleeding more than $100 million and even had to take on loans to continue operations, while others had already resumed operations as normal.
4. Third-Party Damage
One cybersecurity incident can spread far beyond its origin into third-party organizations. For example, affected business associates’ administrators can’t make payroll, impacting staff duties. Insurers can’t process claims or make payments, with patients themselves footing the bill for their care.
This is exemplified by the Change Healthcare attack, which has financially impacted 94% of all U.S. healthcare organizations.
What Does Proactive Cybersecurity Involve?
Proactive cybersecurity is all about anticipating future problems and taking steps to protect your IT systems. As threats evolve, best practices change and weaknesses within their systems emerge, proactive organizations make adaptation a priority. But what does this mean in practice?
A few examples of proactive cybersecurity in healthcare are:
- Ongoing security risk assessments: While annual HIPAA security risk assessments (SRAs) are legally mandatory, a single assessment each year will not help you keep pace with new cyber threats or uncover all vulnerabilities. Proactive cybersecurity would undertake more frequent assessments using frameworks like NIST as a guiding light to ensure optimal system performance.
- Third-party risk management: Nearly 90% of healthcare breaches are tied to vendors, but most organizations struggle to assess and remediate risks within their network. A proactive approach would seek to fix this problem and make third-party risk management (TPRM) a priority, undertaking regular vendor assessments and putting into place ongoing network monitoring systems.
- Automation and process optimization: Healthcare organizations often have fragmented cybersecurity processes that rely on manual effort – making every assessment or remediation project a massive lift for their security teams. The proactive approach would focus on fixing inefficiencies and implementing tools that will save time and make life easier in the long run.
- Workforce training: Over 80% of cybersecurity breaches are caused by human error, but many healthcare personnel are most likely to receive training either annually or on an ad hoc basis. But this isn’t enough to give them a proper understanding of the problem or keep up with changing threats. Proactive organizations make education a priority and provide more regular and frequent training to ensure staff are aware of the evolving threat landscape.
Of course, many readers will be thinking, “This looks like a large undertaking. What can the benefits possibly be?”
3 Ways Proactive Cybersecurity Benefits Your Business
A quality cybersecurity plan extends beyond keeping cyber criminals out of secure information environments. Here are three ways a proactive cybersecurity plan can add value to your services and your business overall:
1. Enhanced Productivity
Cybersecurity vulnerabilities don’t just increase the risk of a breach; they are also weaknesses in your system’s performance. With proactive measures in place, your workforce is likely to be more efficient: data can be shared more easily, manual effort related to cybersecurity is minimized and there is less likelihood of costly and dangerous system downtime.
2. Reduced Cybersecurity Costs
Systematizing the management of secure information and meeting regulations will reduce your cybersecurity costs over time. A simple example is your annual HIPAA SRA: with the right system in place, you can save information from the previous year and import it directly into your new report, simply updating data fields that have changed.
Similar gains can be made across the board, ultimately enabling you to make more efficient use of your cybersecurity resources.
3. Increased Incident Preparedness
Proactive cybersecurity reduces the likelihood of a breach, but it also ensures effective processes are in place to respond if one does take place. Policies and procedures will be documented and optimized, and your workforce will be well-prepared to cope with any fallout.
The result? Less risk of IT downtime or damage to your infrastructure, increased patient safety due to business continuity plans, and a higher likelihood that your reputation will emerge from the breach unscathed.
Build a Proactive Cybersecurity Plan with Intraprise Health
For over 13 years, more than 64,000 providers have trusted Intraprise Health to strengthen their cybersecurity posture and take a proactive approach to your cybersecurity strategy.
Want to explore how we could help you increase your system’s resilience?