According to the US Healthcare Cyber Resilience Survey conducted by EY and KLAS Research, 7 of 10 healthcare institutions have encountered substantial business interruption because of cyberattacks in the last two years.
The survey involved the participation of 100 healthcare professionals in charge of cybersecurity decisions in their companies. Companies suffered an average of 5 cyberattacks last year. Only 3% of organizations did not experience any cyber threats last year. The types of attacks noted were:
- Phishing attacks – experienced by 77% of organizations
- Third-party breaches – experienced by 74% of organizations
- Malware – experienced by 62% of organizations
- Data breaches – experienced by 47% of organizations
- Ransomware – experienced by 45% of organizations
These cyberattacks have a huge effect on patient care and company operations. 72% of participants claimed that their company suffered moderate to serious financial consequences because of the cyberattacks in the last two years. 60% claimed a moderate to serious operational consequence, and 59% claimed a moderate to serious clinical consequence.
In medical care, cybersecurity is frequently considered as a set of protective measures to defend against cyberattacks and make sure of compliance. However, cybersecurity must be regarded as a company priority. Cyberattacks substantially affect patient care and company operations, destroying the company’s good reputation and impacting its profitability. Healthcare companies that prioritize cybersecurity discover that it produces value and enables them to provide better results.
Cybersecurity spending must be in line with results, including decreased downtime, better patient safety, and financial security. According to the survey, CISOs are considerably better at telling this to the C-suite. Whenever the amount of cybersecurity investment is matched up with the price of shutdown on patient care and income, funds are usually made available. The survey indicates that the primary obstacle is not convincing the organization to spend on cybersecurity, but to keep the financial responsibility over time, particularly when finances tighten or goals change. It can be specifically difficult to keep that commitment if, after committing to cybersecurity, this company still faces moderate to extreme cyber incidents.
Cybersecurity is a shared accountability throughout the company and the health system. If budgets tighten, decreasing cyber investments can make health companies weaker and eventually result in higher expenses. Health executives need to change their perspective from looking at cyber as an expense to a tactical enabler of the company.
The problem confronted by many companies is questioning company priorities and limited budgets, which were reported as an issue by 66% of respondents. Other difficulties impacting healthcare companies include a quickly altering threat landscape, third-party risk administration, AI-driven dangers, and the problem of recruiting and maintaining cybersecurity expertise.
One of the major takeaways from the report is the value of looking at cybersecurity as not just a collection of technical and management safety measures to realize HIPAA compliance. Cybersecurity must be considered as a value creator that is just as important to the success of the company. Whenever cyber is incorporated into patient care and operational and business plans, it is no longer just compliance. It acts as a stimulus for trust, change, long-lasting strength, and sustained care delivery.