Maintaining health care cybersecurity has become paramount following sustained attacks on the industry. The cybercrime landscape continues to evolve dramatically, with newer threats and potential attack vectors appearing more quickly. Simultaneously, IT budget cuts have become rampant, straining the ability of health care providers to implement robust and resilient digital security systems. Amid an increasingly hostile cybercrime territory, these tips can help chief information security officers (CISOs) stretch limited financial resources without compromising cybersecurity measures.
1. Review Current Security Spending
On average, health care institutions allocate 6% or even less of their budgets to cybersecurity. Making the most of this sparse allotment begins with auditing the current IT security expenditures to identify areas where overspending may occur. For instance, two separate tools might have overlapping functions, so paying to use them both wouldn’t make sense.
Instead, health care providers can consolidate security vendors, streamlining their spending and enhancing operational efficiency. This approach can also make vendors more willing to offer exclusive discounts and service rebates, saving the institution money.
2. Get More From Existing Tools
As cybersecurity events have surged in recent years, so have the technologies available to address them. Regardless of their purpose, the important thing is these tools are being used to their full potential. If a security system can perform multiple functions, it automatically gets priority over single-function tools.
Sticking to multifunctional tools can also make cybersecurity management more accessible, as there is a reduced risk of misconfigurations and patch management issues. It’s equally important to go for tools that fit seamlessly into the organization’s cybersecurity framework. This minimizes the need and resulting payments for specialized staff training on integrating and maintaining these systems.
3. Implement Security Automation
Automation has come a long way in cybersecurity and is even more advanced today thanks to AI and machine learning technologies. Automated IT security systems can identify, analyze and respond to threats more quickly than human workers. Over time, this level of automation may reduce dependence on some paid security tools or even render them obsolete, freeing up the budget.
Leveraging modern tools to automate cybersecurity operations can also decrease the workload of IT teams and minimize human error. A recent survey shows 52% of companies say their IT personnel spend too much time manually collecting and sorting data. AI-powered data collection processes negate the need for external security consultants or additional staff.
4. Tap Into Free Resources, Subsidies and Grants
The health care industry has abundant cybersecurity training, workshops and tools to help enterprises protect themselves from cyberattacks, all free. One example is the 405(d) Program — a public-private collective nexus that provides a wealth of products, tools and insights to address evolving cyber threats in the health care sector. These resources may help cover gaps in an institution’s digital security framework without costing a cent.
Eligible institutions can also apply for federal and state grants to build their cybersecurity budgets. Additionally, it might help to forge ties with local CISA and other government agencies, as they might have information on where else to obtain financial support.
5. Make the Case for More Funds
Due to the rapidly evolving nature of the cyber threat landscape, digital security systems might eventually become ineffective, requiring newer and improved replacements. At some point, no amount of budget-stretching will accommodate modern cybersecurity requirements, so requesting increased funding is the only way forward.
There’s a compelling case to be made for maintaining a resilient infrastructure. In 2021, it cost an average of $9.42 million to manage the fallout from a health care data breach. Besides financial loss, reputational damage can be more severe, considering hospitals store sensitive patient information. Ultimately, expanding the budget to ensure existing systems can prevent such occurrences is more pragmatic than spending on damage mitigation after the fact.
Current Efforts Could Be Better
Despite how widespread and evident data breaches have become, the industry is not putting quite enough money towards fixing them. A 2022 survey revealed only 22% of health care IT managers are confident that their institution provided adequate cybersecurity funding.
Beyond improved financial backing, CISOs must also make security and awareness training mandatory for all employees. Everyone is responsible for maintaining a functioning digital security infrastructure, primarily since they represent one of the most common gateway points for attacks. However, according to HIPPA, as many as 24% of health care workers had received zero security awareness training as of 2020.
Allocating a Tight Cybersecurity Budget
Budgeting for cybersecurity in health care can be tricky, especially with current economic and geopolitical uncertainties. CISOs can generally approach the matter from three angles.
Prevention
The goal here is to limit potential risks, so the focus will be on cost-effective solutions that minimize exposure. Part of the budget should go toward building and maintaining an evolving cybersecurity culture where everyone follows best practices, from the chief medical officer to the day-shift cleaning technicians.
Detection
This approach allocates budget funds toward safeguarding sensitive information, and automating security features like real-time threat monitoring and alerts. IT managers should weigh the cost-value of using an existing solution or switching to a new one.
Response
If something goes wrong, the time between detection and notification is vital. Paying higher for a more advanced system with near-instantaneous automated threat response may be worth the outlay in preventing potentially bigger and more severe exploits.
Making a Healthcare Cybersecurity Budget Work
Cybersecurity budgets are tighter than ever, and CISOs must now do more with less while maintaining a robust IT security strategy. These tips can help managers stretch their budgets to accommodate the growing requirements of digital security.
By Zac Amos, rehack.com