Digital transformation has moved from industry buzzword to a healthcare necessity in just a few years. Healthcare organisation (HCO) plans to roll out electronic patient records, telehealth, AI diagnostics, IoT devices and more have been greatly accelerated by the pandemic. The strain placed on many systems, such as the UK’s NHS, will only worsen as populations age and the COVID-era backlog of cases persists.
Yet without effective controls, digital technology also increases the attack surface and could lead to serious breaches. The sector has posted the highest data breach costs for 10 consecutive years and is a major target for ransomware. If security therefore plays such a fundamental role in supporting digital growth, why are business leaders in the sector still reluctant to see it as anything more as a “necessary cost”?
Healthcare under attack
HCOs operate a complex blend of legacy and digital systems. The cyber-attack surface is growing all the time. It covers hard-to-patch vulnerabilities in operational technology systems, phishing attacks on staff, insecure home-working devices and employees, and a large, porous ecosystem of suppliers.
Ransomware is a particularly acute threat. Trend Micro data reveals healthcare was the third most impacted sector in terms of malicious files in 2021 and 2022, surpassed by only manufacturing and government. A separate study finds that ransomware hit 81% of UK HCOs in 2022. Over two-fifths (44%) lost data as a result and 64% had to cancel appointments. Yet this is just the tip of the iceberg. According to some studies there’s a growing link between mortality rates and cyber-attacks on HCOs. In one report, a correlation was uncovered between data breaches and heart attack fatalities.
Aside from the reputational and legal/compliance risk this creates, there’s also a financial cost. According to IBM, the average cost of a data breach in the sector now stands at over $10m per organisation.
As more digital technologies are added to existing networks in order to improve the patient experience, lower costs and take the pressure of stretched clinical teams, more opportunities will open up for malicious actors. In this context, security is a vital enabler of what are critically important digital healthcare initiatives.
Ignoring the data
Yet healthcare business leaders don’t seem to see it that way, even when the evidence appears to be staring them in the face, according to our research. Some 62% of global respondents say they’ve been asked about the security posture of their organisation by prospects or suppliers, with 71% admitting they’re concerned this could impact their ability to win new business. In fact, it’s already cost 16% of respondents new contracts. Yet at the same time, half of them don’t see a strong connection between cybersecurity and client acquisition.
Even fewer (45%) respondents see a strong connection between cyber and employee retention (45%) or talent acquisition (37%). Yet 79% also admit that security policies have impacted the ability of employees to work remotely. Working from anywhere is identified by a majority (61%) as vital to winning the war for talent.
Time to join the dots
The truth is that the majority of healthcare business leaders see security as a necessary cost but not a revenue contributor and say that its value is limited to threat prevention. Why are they not joining the dots between security and digital transformation? One answer might be that security in their organisation is currently failing to add value for the business. For example, 62% of respondents see data access as fundamental to unlocking new revenue streams in the coming 12 months. And 87% believe they can achieve cost savings through better use of data. Yet half claim security is creating information silos which can put a roadblock on these efforts. That may be why a third see security as a barrier, rather than a business enabler.
So what needs to change? Healthcare leaders need to see security projects demonstrate real value to the business, by striking a better balance between supporting productivity and innovation on the one hand and managing risk effectively on the other. The era of the “Department of No” should be well and truly over.
Without security, digital transformation projects are hopelessly exposed to ransomware, information theft and other cyber risks which could pause or derail them indefinitely. It is down to the CISO to better communicate this fact to senior leaders, by articulating it in risk language that the business understands. But boards also need to lean in with an open mind, and reframe their perception of what security means to the organisation.
Smart healthcare should be an urgent imperative for all governments and HCOs. But we can only get there with more progressive cybersecurity policies, processes and controls.
By Bharat Mistry, Technical Director at Trend Micro