Healthcare organizations safeguard substantial troves of personal and financial data, making them prime targets for cybercriminals.
According to a survey from the Healthcare Information and Management Systems Society (HIMSS), more organizations are strengthening their defenses. The study found that 55% of healthcare organizations plan to boost their cybersecurity spending this year.
“Healthcare must invest more in cybersecurity, perhaps second only to education, à la the PowerSchool breach,” said Tracy Goldberg, Directory of Fraud and Security at Javelin Strategy & Research. “Healthcare is widely known for its cybersecurity vulnerabilities, and exposure of employee and patient Personal Identifiable Information.”
“Breaches and ransomware attacks—which exfiltrate sensitive PII and then hold the healthcare organization for ransom under the threat of exposing the stolen data on the dark web—are and have been all too common for many years,” she said.
The Change Healthcare Data Breach
Just as concerning as the frequency of ransomware attacks is their magnitude. Many healthcare leaders are reevaluating their cybersecurity solutions and third-party relationships in response to the largest healthcare data breach of all time—last year’s ransomware attack on UnitedHealth Group Subsidiary Change Healthcare.
The attack compromised the PII of over 190 million people and, much like the PowerSchool breach, was traced back to a cybersecurity lapse. Cybercriminals gained access to Change Healthcare’s systems using a single set password on a user account that lacked multi-factor authentication.
Increasing Cybersecurity Budgets
This incident, along with the rise in ransomware attacks targeting healthcare organizations, has forced a shift in the industry. According to HIMMS, healthcare organizations have historically allocated 6% or less of their IT budgets to cybersecurity. Now, nearly a third of respondents plan to spend more than 7% of their IT budget on cybersecurity this year.
This heightened focus on cybersecurity is critical because the ramifications of data breaches extend far beyond the healthcare industry.
“The lack of cyber focus and investment on the healthcare side has a domino effect on other industries, such as financial services,” Goldberg said. “These sectors eventually have to pick up the pieces of stolen consumer PII that turns into identity theft and subsequent fraud.”
