Healthcare CISOs Need Federal Assistance to Deal with Increase in Cyber Threats

Share this article on:

A recent survey conducted on Chief Information Security Officer (CISO) members of the College of Healthcare Information Management Executives (CHIME) and Association for Executives in Healthcare Information Security (AEHIS) has highlighted the impact cybersecurity incidents have had on the healthcare industry and the need for federal assistance to deal with the threats.

The healthcare industry has long been targeted by cybercriminals, but attacks have increased during the pandemic. 67% of respondents said their organization had experienced a security incident in the past 12 months with almost half saying they were the victim of a phishing attack. Phishing and business email compromise attacks, malware ransomware, hacking, and insider threats were the most common security exploits used in cyberattacks on the industry.

Cyberattacks can cause patient safety issues. One recent study indicates mortality rates increase following a ransomware attack, as do medical complications and the length of hospital stays. The survey confirmed the impact on patient safety, with 15% of respondents saying there had been a patient safety issue after a cyberattack and 10% saying they were forced to divert patients to other facilities in the wake of an attack.

The increase in attacks has meant an increase in costs. More than 80% of surveyed CISOs reported an increase in costs associated with cyberattacks in the past year. 20% of respondents said costs had increased by 50% in the past year, with one in 6 saying costs have doubled. Not only have remediation costs increased, but the cost of cyber insurance policies has also risen due to the increased risk of cyberattacks.

Indeed, the situation is likely to get worse as there are several emerging threats of major concern, such as the rise in IoT and other connected devices, an increasingly remote workforce, supply chain threats, API security issues, and risks associated with 3rd party consumer health apps.

Funding for cybersecurity has long been a problem in healthcare, but the increase in costs has made the situation far worse and many CISOs are struggling. “We are overwhelmed with unfunded federal mandates. Our organization is struggling through the pandemic while having mandate after mandate applied. [This is] not sustainable,” said one respondent to the survey.

The survey confirmed healthcare providers need more help dealing with the increased threat of attacks. Congress is considering several new measures to improve defenses against cyberattacks for critical infrastructure, including healthcare, but CHIME and AEHIS say healthcare is often left on the periphery, even though the healthcare industry is one of the most targeted parts of critical infrastructure and one of the most vulnerable.

40% of respondents said they need help in the form of grants or federal assistance to improve cybersecurity, a third said they would benefit from regional extension centers with cyber experts on hand who could come on-site to provide guidance and expertise, and 16.7% said they would benefit from closer relationships with federal authorities such as the FBI and CISA.

52% of respondents said they had signed up with an Information Sharing & Analysis Center (ISAC) or Information Sharing and Analysis Organization (ISAO), but further guidance is needed, as 10% of respondents said they were unsure when it was acceptable to share threat information. When guidance is provided, it needs to be communicated more effectively. For instance, 45% of respondents said they were unaware of 405(d) best practices that had been published by the HHS.

“From this survey it is clear that healthcare providers will need several tools in their arsenal to fight an ever-escalating and complex battle that is being brought directly to their doorstep and threatens their delivery of patient care,” said AEHIS Advisory Board Chair Will Long. “More resources, education, and ongoing support for our sector are needed.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On