Data breaches are increasingly common — and expensive — in healthcare. Our experts provide tips on how organizations can better protect themselves.
Healthcare organizations, which possess a plethora of information that is valued by cyber thieves and nation-state actors, are particularly vulnerable to cyberattacks.
According to statistics compiled by the HIPAA Journal, an average of 1.99 healthcare data breaches of 500 or more records were reported each day in 2023. The 725 total attacks in 2023 were 96% higher than the 2018 tally and marked the eighth consecutive year in which the number of data breaches increased.
“The scary thing is, we haven’t really had a period where they’ve been on the decline,” Hyland Director of Cybersecurity Dylan Border said.
The average cost of a breach reached an all-time high of $4.45 million in 2023, according to IBM Security. In the healthcare industry, the norm was a staggering $10.93 million. The average cost of a healthcare breach has increased 53.3% since 2020, and the industry’s 2023 average was $5.03 million ahead of the next-most-vulnerable industry (the financial industry, at $5.9 million).
Much more important than the numbers, though, are the impacts that cyberattacks can have on patient safety and the ability of healthcare organizations to provide uninterrupted care delivery. By failing to keep patient records private, healthcare organizations also face potential harm to their reputation and could incur substantial penalties.
How can healthcare organizations better protect patient data? What should they do if they’re attacked? Border and Dan Dennis, Hyland’s chief information security officer, provide answers.
“It all boils back to good security and IT hygiene,” Border said on the Health Innovation Matters podcast.
Here are 10 high-level tips from Hyland’s cybersecurity experts.
“Having leadership support is critical to success,” Dennis said.
“This is an absolute need. This is not an optional factor,” Border said.
According to IBM Security’s research, the average cost of a data breach for organizations with high levels of employee training was $3.68 million. The norm was $1.5 million higher for organizations with low levels of employee training ($5.18 million).
“During a phishing scam, when an attacker goes to use the credentials that they’ve successfully harvested from you, you’ll get that prompt, and that will be your key to not actually log into that service right now,” Border said.
Examine your external vulnerabilities and internet footprint. If there are any weaknesses, attackers will be ready to exploit them.
“If we’re talking about one area where healthcare really is lacking, I think it’s around vulnerability management,” Border said.
“Your people are going to be your weakest link,” Dennis said. “They need to know how to identify attacks, how to report attacks and what to do in those types of attacks.”
“You’ll want to have different levels of technical controls across the organization,” Dennis said.
This can include email filters, antivirus and malware protection, and other measures to block entry points.
Providing such access only where it’s “absolutely required” can significantly limit the risk of attacks, Dennis said.
“You want to make sure you have offline encrypted backups and you’re regularly testing those backups,” Dennis said. “That way, you can react quickly and react accordingly when you’re attacked.”
Getting an outsider’s assessment of your network can identify risks that you might not have seen during internal reviews.
Cybersecurity is no longer a “check-the-box function,” Dennis said. Understand its importance and the leadership support it requires.
Healthcare organizations — facing mounting resource challenges and strict compliance requirements — have been slower than other industries to make the move to the cloud. In this story, you’ll hear from three Hyland Healthcare customers who took on that daunting task and offer top benefits and best practices from their cloud transition.
First, we’ll address the obvious: “The No. 1 thing would be don’t make this the first time you’ve considered it,” Border said.
“Ideally, you would have thought about a response plan, business continuity and disaster recovery efforts, what your company can and can’t do during a ransomware attack,” Border said. “If you have considered it, you should be executing those plans.”
From here on out, every minute is valuable, and having clear marching orders is crucial.
“Make sure your key responders and key personnel are educated on who is accountable for what actions and what they’re required to do,” Dennis said.
“Hopefully, you have security partners and consultant groups that you’re already working with. Leverage those minds right away,” Border said.
U.S.-based companies can also enlist the help of the FBI and the Cybersecurity & Infrastructure Security Agency (CISA). (This CISA mitigation guide offers best practices to combat pervasive cyber threats.)
“If you have an understanding of what the ransomware has exploited, what types of systems and data and patient records it’s taking, do you have backups of that? Is it feasible to recover what you believe has been exploited?” Border said.
“Do you know how they came in? Because if you don’t and you start mitigation and recovery and deleting laptops and servers and then bringing it back online, if you haven’t plugged the hole, without a doubt it will spread right back to the new things that you’re bringing online,” Border said.
“Having an open line of communication with all of your partners, all of your vendors, is really essential,” Dennis said. “Working together is what’s going to ensure success.”
— Mitzie Dodge, Corporate IT Manager, Baptist Health
As healthcare organizations upgrade their tech stack, cybersecurity should be top of mind.
“What is their software development life cycle? What is their patching process? How do they support you?” Dennis said.
Getting answers to your questions will help you make a more informed decision. Keep in mind, though, that “nothing is perfect” in cybersecurity, Dennis said.
All of which is why transparency is so important.
“These well-known industry leaders that have a reputation for transparency, in my opinion, are always good ones to look at first if they provide a solution in the market (that you’re looking for),” Dennis said. “Knowing that a company by design thinks of security transparently just might be the thing that tips them over the edge in terms of your business decision.”
Hyland’s intelligent content solutions are designed to detect and combat cyber threats effectively, with protection measures such as encryption, permissions, risk management and retention, and selected access and approval processes.
Migrating content to the cloud can alleviate some of the challenges healthcare organizations confront as they attempt to keep up with ever-changing cybersecurity threats and privacy regulations. The Hyland Cloud allows organizations to quickly scale to their needs while supporting security and compliance requirements.
The Hyland Cloud also provides an average uptime of 99.99%, making an organization’s data available whenever and wherever it’s needed.
— Mike Hibbard, CIO, Bon Secours Mercy Health
Baptist Health — a Louisville, Kentucky-based health system with nine hospitals, nearly 23,000 employees and 1,500 employees — shifted from an on-prem deployment to the Hyland Cloud.
“We are more secure in the cloud than we were on-premises,” Corporate IT Manager Mitzie Dodge said. “It’s just comforting and you sleep better at night.”
Bon Secours Mercy Health — one of the five largest Catholic health systems in the U.S. — moved more than 700 million documents to the Hyland Cloud.
“Prior to the move to the cloud, our system was a little unstable,” IT Strategic Partner Julie Januski said. Now, the health system is “in a much more stable place than we were prior,” she added.
Endeavor Health — a nine-hospital health system with more than 27,000 team members and 1.3 million patients — is attacked 1,500 times an hour, System AVP Eric Merchant said.
“Thank God that nobody has penetrated our systems,” he added. “The side benefit of the cloud with (Hyland and) AWS is that they are constantly optimizing security on a daily, weekly and monthly basis, and we are getting the benefit.”
That’s why Bon Secours CIO Mike Hibbard talks about the “CIO ROI” that comes with cloud transitions.
“I could sleep better at night knowing that Hyland has our back on security, on patches, on monitoring,” Hibbard said.
Does your healthcare organization have “good security and IT hygiene?”
Hyland can help.
Cloud data security is a top priority for any cloud-enabled organization. Proper execution requires cloud expertise, organizational behavioral training and continual digital transformation of the technology stack and strategy.
Health system shifts to the Hyland Cloud to improve security, increase versatility, reduce costs and free staff to focus on more strategic work.
AI innovation is fast-tracking the trajectory of everything from patient care to the future of medicine.
Cloud security is top of mind for most organizations leveraging cloud computing. The concept is simple, but the execution is complex and everchanging. Most importantly, the risks/rewards can be immense and long-lasting.
