The nature of business leans toward trying to operationalize the swiftest, most cost-effective solution to solve problems. Technology is often thrown at a problem without realizing the enormous cost of time and effort to implement it. Amid current information security risks and vulnerabilities though, cyber threat prevention and response activities need to be a fundamental component to every technology purchase, every system implementation, and every new integration point introduced. End users must be regularly educated about risks and understand their responsibility in protecting the organization from cybercriminals. A programmatic approach is critical, and strong coordination between business owners and IT is paramount.
Building an IT Service Assurance Program that ties your business and IT strategies – and the execution of those strategies – together can ensure your processes and workflows are enabled in a secure and resilient manner.
Understanding the Threat – and the Consequences
Health delivery organizations often develop business strategies and execution plans independently from IT, creating inconsistency and a lack of coordination. In the current climate, this inconsistency and lack of coordination can pose genuine information security risks with tangible financial costs and serious patient safety implications.
The last year alone has dramatically underscored the impact of rapidly evolving cyber threats – and information security vulnerabilities – in healthcare. Many health delivery organizations still lack even basic visibility into the medical devices (and other connected devices) they own, let alone understanding which of those might be at risk. Repeat ransomware attacks aimed at hospitals and health systems are increasingly common. Cyber insurance premiums are rising, and cyber policies now have more coverage exclusions. Meanwhile, new attack vectors and vulnerabilities continue to emerge (i.e., APIs) that hospitals and health systems need to be prepared to address.
The scope of cyber threats is also expanding. The reality is that cybercriminals are not just trying to infiltrate hospitals and health systems directly; they are also gaining access to health delivery organizations by targeting providers’ business and trading partners. Complicating matters is the increasing consolidation among third-party IT vendors, inconsistent due diligence from third-party vendors in vetting their own vulnerabilities, and misconceptions among vendors and providers alike about what is ultimately still a shared cloud security model.
The consequences of experiencing a cyber-attack are significant and well-documented. There is a fundamental risk to patient safety if providers are unable to access key clinical applications. There are also direct and tangible financial costs – which go far beyond just paying the ransom. Additionally, it is impossible to put a price on a hospital’s reputation or the loss of public trust, and it can take years to recover from one bad headline about a breach or ransomware attack.