Based on some independent research that my company commissioned with more than 200 companies, we came to several conclusions that are highlighted in the article. Broadly, however, it signals the false sense of (cyber)security that many companies are currently harboring.

BY CHRIS BOWEN | Published November 22, 2022 | MedCity News

 

It’s no secret that cybersecurity is becoming a more pressing issue for both governments and private businesses around the world. We are seeing more and more sophisticated cyber criminals – with the support of rogue nation-states – attacking vulnerable networks throughout the US.

For the American healthcare system, there is so much more at stake than simply the financial consequences of falling victim to a ransomware attack. In my view, every time I work with a healthcare provider, or any healthcare company for that matter, their data is life. Every patient record represents some of the most intimate personal information someone could share with their trusted medical expert. When cybercriminals attack these hospital networks and target PHI data for either a disruption of service or ransomware attack, they are literally jeopardizing a patient’s ability to survive, as well as very intimate patient privacy. We should be treating cybercriminals who engage in these types of attacks just like we would treat violent criminals trying to harm people on the street.

Avoid complacency

Healthcare organizations need to wake up and value the data they collect like it’s a human life. The stakes could not be higher to protect patient data and maximize cybersecurity. Based on some independent research that my company commissioned with more than 200 companies, we came to several conclusions highlighted below. Broadly however, it signals the false sense of (cyber)security that many companies are currently harboring.

Different degrees of preparedness and confidence

First, the C-Suite executives responsible for designing cybersecurity strategy expressed much greater confidence in the defense of their systems than many of the managers and directors surveyed who interact with the technology on a daily basis. This suggests that there is a potential mismatch between the leaders who architect their cyber defenses and the individuals manning the defenses.

Based on my experience, this was not too surprising. C-Suite executives have different objectives and focus. They’re focused on the horizon, and where to move the organization to skate to where the puck is going, not where it is. The staff is focused with navigating “technology debt”, actively blocking vulnerabilities and threats, and dealing with zero-day patches. While this isn’t an unhealthy disconnect, the lesson is that leaders of cybersecurity defenses need to work on their metrics.

They need to measure what’s happening in the day-to-day; they need metrics that are aligned to what’s coming around the corner. This will help them be prepared with what’s about to happen, based on what has happened historically. We need a mix of top-down metric driven cadence, and bottoms-up approach from the staff of what’s happening and what could happen to create the most informed cyber defense strategy.

Removing the barriers to cloud adoption

Second, cloud adoption is a priority for many healthcare companies. But over 50% of respondents said cybersecurity is the biggest obstacle to adopting cloud technology. Our research showed this is an even greater challenge for smaller providers with revenues under $500 million.

I believe leaders can commit to cloud adoption without sacrificing cybersecurity by picking the right partners. A few years ago, we had an astounding 3,000,000 cybersecurity jobs that could not be filled. There simply wasn’t enough skilled labor to fill those roles. Today that gap has shrunk to 1,500,000 open roles, but it’s still a large gap. For healthcare organizations that can’t afford to find the best talent in cloud or cyber, they should partner with a third-party expert who can provide continuity of talent, in case their talent gets poached.

When to partner

Our third insight from the survey was that larger provider organizations and those with advanced cloud maturity primarily outsource cloud security and compliance solutions. Which presents a sort of “chicken or the egg” dilemma; do organizations become large and advanced and then outsource cloud security and compliance, or does outsourcing cloud security and compliance allow organizations to focus on their business and overall innovation?

Many organizations have tried to build out advanced cloud or cyber solutions on their own and they’ve found they usually have a talent gap that prevents them from successfully executing. On the other hand, if they let a partner handle the blocking and tackling of daily cyber security and cloud services, they can focus on patient care.

That’s the better route in most cases. It’s not that they don’t want to do it themselves, it’s just that they need to focus on their organization’s mission. No healthcare provider gets into business because they want to build an expensive, resource-intensive security operations center (SOC) from scratch; they built a business in healthcare because they want to improve patient health outcomes. Working with a cloud and cyber security partner lets them focus on their core mission.

Fueling innovation with strategy

And finally, 71% of providers have proactively increased their cybersecurity budgets. Which is fantastic, they’re putting their money where their mouth is and protecting patients. But you can’t solve every problem with just more money or more bodies – the companies that simply throw money at solutions without carefully designing them typically don’t innovate the way they should. The HCOs with the best cyber security outcomes are the ones that intentionally plan their strategy and innovation; writing larger checks and hiring more staff is not a silver bullet in and of itself.

Healthcare cyber security has made a lot of progress in recent years – but we still have so much more innovation to introduce to such a critical marketplace. We must not become complacent when the data healthcare companies collect represents a human life: because in our business, data is life.