Data security: Can stakeholders finally work together to protect it?
As cyberattacks on healthcare organizations become daily occurrences, there’s growing recognition about the crisis and more willingness to address it.
“I am sick and tired of hearing about our healthcare data getting compromised! Like seriously, it is so annoying! Enough is enough! How incompetent can we be as an industry?”
This statement from a dear friend sent me reeling as we both reflected on the United Health Group data breach earlier this year. Until that point, I had not spent a lot of time understanding the current state of data security, nor did I care. I just trusted that the many incredible healthcare leaders I know were at the helm, doing their best and would figure it out.
But maybe my trust, especially as a patient and father of five little patients, was ill-placed. So, I decided to dive into this and found the following; I hope it instills hope through knowing rather than further distrust. I believe we can tackle this industry problem.
The healthcare sector is at a tipping point, caught in a relentless storm of cyberattacks that threaten patient safety, financial stability and the trust of an already stretched industry. With a 102 percent increase in large-scale data breaches and an alarming 950 percent rise in stolen patient records during the past five years, the urgency to act has never been greater.
In a landscape marked by outdated technology and an ever-expanding attack surface, healthcare leaders face an uphill battle. Yet amid the chaos, signals are emerging that indicate that all necessary stakeholders are aligning to tackle the cybersecurity crisis.
The scope of the threat
Cybercriminals continue to double down on their efforts focused on healthcare, exploiting the industry’s unique vulnerabilities. The February 2024 ransomware attack on Change Healthcare, which compromised 100 million patient records, and the May 2024 server breach at Ascension, contributing to $1.8 billion in losses, underlay the magnitude of the issue.
Healthcare’s reliance on legacy systems compounds the problem. Many organizations still use technology that’s as much as 30 years old. Layer in hundreds of contracted applications, thousands of connected devices and a persistent shortage of cybersecurity talent, and the result is a sprawling attack surface that bad actors can easily exploit.
The consequences are becoming dire. A staggering 74 percent of hospitals report that data breaches directly impact patient care. In a sector where minutes can mean the difference between life and death, it's only a matter of time before the attacks will compromise patient care.
Stakeholder alignment is a critical step
Amid these challenges, one hopeful trend that cannot be understated seems to be emerging: there’s growing alignment among stakeholders. CEOs, CFOs, CIOs and government agencies, though taking their own paths, are starting to draw toward united resolve in their efforts to prioritize cybersecurity. This is a big, big, big deal folks!
However, while budgets are growing, optimism among CISOs remains tempered by the persistent lack of talent and reliance on outdated security systems and practices. Prevention efforts often take a back seat to recovery, perpetuating the cycle of vulnerability.
The role of government: Legislation and leadership
Prior to this year’s election, the federal government seemed to be stepping up to address healthcare’s cybersecurity crisis. Bipartisan legislation, such as the Health Infrastructure Security and Accountability Act of 2024 and the extension of the FTC Health Breach Notification Rule, aims to establish stricter standards and enhance accountability.
Perhaps portending post-election possibilities, the first the Trump administration actually focused on cybersecurity more than any other administration in the past several decades. In 2017, 2018 and 2021, the Trump administration rolled out an executive order to strengthen federal networks and critical infrastructures, released a national cyber strategy and in 2021 signed an amendment to the HITECH Act creating "safe harbors" for those healthcare entities that adopted cyber best practices.
Building on a record of prioritizing the issue, could it be possible that the second go-around Trump administration could continue this focus?
However, experts emphasize that the current proposals won’t be enough. Drawing parallels to the HITECH Act and Meaningful Use policies, which drove widespread adoption of electronic medical records, experts anticipate the need for significant government investment to ensure equitable cybersecurity capabilities across all healthcare organizations.
The equity gap challenges providers
One of the biggest challenges is the growing disparity in cybersecurity readiness between large health systems and smaller providers. Community health centers, Federally Qualified Health Centers and rural hospitals often lack the resources to meet the escalating demands of cybersecurity.
Without targeted support, these providers risk falling further behind, leaving their patients — and, by extension, the broader healthcare system — exposed. Addressing this equity gap will require creative solutions, including government grants and partnerships that mirror the success of past federal initiatives.
A holistic approach for the future
Solving healthcare’s cybersecurity crisis will require a multi-faceted approach. I am not even going to pretend that I have the answers, nor am I saying it will be easy. I was actually planning on offering some possible suggestions on how to approach the problem, but my contemporaries who are on the frontlines every day would likely just laugh at whatever simplistic ideas I might offer.
However, I will give a plug to the Health Sector Coordinating Council. They seem to have their act together. The HSCC strategic plan document is as good as any set of strategies that currently exist.
The clock is ticking, and the enemy is gaining ground. But with decisive action, healthcare can emerge stronger, more resilient and better equipped to meet the challenges of an increasingly digital future.
Mitchell Josephson is the president of the American College of Health Data Management.