Alleviating Cyber Debt in the Healthcare Industry

The healthcare industry continues its reign as the number one cyber attack target. For 12 consecutive years, the healthcare industry has incurred the highest breach-related financial damages of any industry with an average cost of $10.10M per incident. Attacks on Trinity Health and Scripps Health, for example, are two of the largest data breaches in history and reveal just how vulnerable PII and PHI data really are. 

Healthcare in the U.S. is a massive expenditure, accounting for more than 18 percent of the United State’s gross domestic product (~$3.5 trillion). With a growing and aging population and an increasingly complex network of companies and healthcare institutions working together and sharing information, hackers do not have to look very hard for rewards. With the COVID-19 pandemic, further vulnerability ensued as the industry was forced to operate beyond the walls of a doctor’s office and hospital: primary communications shifted to email and text in some cases, and doctor’s visits turned into virtual appointments. This sudden shift to remote, digital operations opened a new and vulnerable flank in an industry trying to accommodate the urgent needs of patients. 

Outdated systems, a shortage of IT staffing and protocols, and life-or-death scenarios often create conditions that leave patients and staff exposed to data-targeting attacks. The follow-on consequences, such as a pressing need to pay ransoms quickly to regain patient data, only encourage bad actors to target the industry more. 

Due to the existing patchwork security vulnerabilities within the industry, healthcare providers and facilities are likely to, if not already, incur cyber debt. Cyber debt is the amount of unaddressed security vulnerabilities that accumulate in an organization’s IT infrastructure, usually as a result of the implementation of new systems and technologies over time. It emerges through the improper management of sensitive data and assets. Specifically, outdated systems that have far too few staff and protocols to maintain basic hygiene like updates and patches.

A CyberArk 2022 Identity Security Threat Landscape Report found that less than half of cybersecurity decision-makers have identity security controls in place for their business-critical applications, while 79 percent agree that their organization prioritized maintaining business operations over ensuring robust cybersecurity in the last 12 months. These are negligent – yet all too common – practices that have the potential to rack up cybersecurity debt in any industry, not just healthcare. 

When considering the kinds of information that is at stake, such as medications, diagnoses, medical histories, etc., these outdated practices cannot continue. In the court of public opinion as well as the law, liability judgements are becoming increasingly costly and holding executives personally liable.  

Eliminating risk altogether is impossible, however investing wisely in threat mitigation is possible and a vital step in deterring an attack. For most providers, partners and businesses serving the healthcare industry, the most efficient way to tackle cyber debt is by partnering with a managed service provider (MSP) like Thrive that is familiar with the challenges faced by healthcare organizations. Thrive’s comprehensive IT outsourcing services can eliminate gaps in security and enable internal technology teams to focus on quality of care for patients instead of scrambling to recover their personal data.

With glaring holes in security operations across the healthcare industry, Thrive has the expert resources to augment your over-extended cybersecurity team and modernize your security posture to better prevent and mitigate cyber attacks, create a disaster recovery plan, and help ensure compliance with HIPAA, HITECH, and other compliance regulations. 

Learn more about Thrive’s leading healthcare MSP practice and how our security-first NextGen Managed Services can help your organization in our latest cybersecurity white paper.