Damian Chung
COVID 'year three' brings a perfect storm to healthcare security
March 28, 2022
By Damian Chung
As we head into year three of the pandemic, COVID management continues to consume a majority of healthcare resources. As a side effect, many elective surgeries over the last two years have been put on hold in favor of treating COVID patients. Elective procedures are where most medical institutions make their margins—and this shortfall is ultimately impacting budgets for IT and security advancements.
From March to May 2020 alone, hospitals lost more than $20 billion in revenue when the first phase of the pandemic led to an unprecedented nationwide shutdown in elective surgeries. “Elective” surgeries may include cosmetic as well as time-sensitive procedures—such as screenings, biopsies, hernia repairs, and valve replacements—where delays can worsen the chances of disease morbidity and even patient mortality. The projected recovery time for these postponements ranges anywhere from 4 to 164 months, depending on the institution.
But those losses didn’t stop with that first intense wave of COVID. By some estimates, healthcare organizations in the U.S. continued to lose an estimated $54 billion in net income in 2021 with more than a third of U.S. hospitals maintaining negative operating margins.
Ransomware ratcheting up healthcare risks
Simultaneous to less revenue being generated, ransomware attacks against healthcare systems have spiked during the pandemic. Cybercriminals have been callously opportunistic about leveraging the circumstances of a mass disaster for their personal enrichment. Two-thirds (67%) of healthcare delivery organizations report having been victims of ransomware; another one-third say they’ve experienced two or more attacks.
The healthcare industry also sustained the highest average cost of a data breach for the eleventh consecutive year. The average total data cost for a healthcare breach increased by nearly one-third year-over-year—from $7.13 million in 2020 to $9.23 million in 2021. The damages done by a successful attack drive a hospital into an even deeper budgetary crisis. Ireland’s healthcare system is still recovering from a widespread ransomware attack that happened last year—with a total cost projection of more than $100 million. Closer to home, a massive cyberattack last May cost a major California healthcare provider $112.7 million, with lost revenue-bearing most of the cost. But financial losses aren’t even the worst potential outcome to worry about.
Another recent survey noted that nearly one-in-four healthcare providers reported an increase in patient mortality due to ransomware. Case in point—one pending lawsuit alleges that a severe ransomware attack at a hospital in Alabama compromised the quality of care and availability of fetal monitoring equipment—leading to the eventual death of a newborn. The filing is the first credible public claim linking the loss of a human life directly to a cyberattack. Ransomware also contributed to the circumstances surrounding a German woman’s death in September 2020.
Security is stuck in the middle
Despite rapidly escalating risks, many clinicians also continue to resist strict network controls that could inhibit access to information and communications to treat patients and save lives. When I talk with healthcare security leaders, they all feel the pressure that any decision they make right now could be impacting a life in one way or another. A common thing that’s happening is when they go to install a new network or security control to reduce the hospital’s attack surface, doctors respond by saying, “Well, if you do that, you're going to harm my patient.” There aren’t many other industries where security teams have to also worry about directly protecting people’s lives.
Security professionals are really stuck in the middle. You want to be able to do your job to protect the broader network from attack, but you also don't want to implement a control that might impact a patient’s quality of care by blocking a doctor’s access to critical, life-saving resources. It feels like a no-win situation for healthcare security teams.
A broader history of healthcare security stagnation
Statistics show that healthcare has fallen behind other industry sectors in its ability to detect, prevent, and mitigate cyberattacks. The average healthcare organization takes 236 days to detect a data breach and 93 days to mitigate damages—versus an overall industry average of 207 and 73 days, respectively. While the criticality of slow and ineffective healthcare security has clearly escalated during the COVID era, the underlying conditions that have led to this crisis have been allowed to persist for years.
Researchers have found that the average healthcare organization spends only about 5% of its IT budget on cybersecurity. By comparison, the financial sector dedicates at least twice as many resources to combatting cyberattacks—retail and corporate banking institutions spent 9.4% of their IT budgets on cybersecurity in 2020, while insurance companies dedicated 11.9%. Another report ranks healthcare 9th in security spending compared to other industries—and this reticence to prioritize security is one of the reasons why healthcare providers are being targeted with such ferocity.
Like any technology department in any other industry, neglect leads to stagnation. You can’t expect anyone to overcome new challenges and rapidly changing conditions using the same old tools, obsolete strategies, and outdated training. While I know many healthcare organizations that are starting to embrace a zero trust approach to security, there is a larger population within healthcare security teams that have become largely stagnant.
Without the necessary resources dedicated to their team year after year, it shouldn’t come as a surprise that healthcare security teams haven’t been able to keep up with the rest of the world in terms of modern cybersecurity strategies. And while the industry faces an acute cybersecurity crisis today, the conditions leading up to this stem from chronic neglect.
Surviving the storm means prioritizing security
Healthcare security leaders are facing a perfect storm of fewer budgetary resources and a “damned if I do, damned if I don’t” choice between ransomware and quality of care. Surviving these unprecedented conditions requires action and innovation—as opposed to a passive “ride it out” approach. But despite the exorbitant costs and high frequency of attacks, only 11% of healthcare IT executives said that cybersecurity is a high priority in a recent survey—and two out of three respondents said they didn’t even track return on investment (ROI) for cybersecurity spending.
Healthcare leadership urgently needs to prioritize investment in modern cybersecurity tools and training. Specifically, they need security that supports contextual controls and better visibility across networks in order to protect healthcare organizations from ransomware and other sophisticated attacks without blocking clinician access to life-saving resources.
About the author: Damian Chung is a cybersecurity leader with over ten years of security experience focused in healthcare. As the business information security officer at Netskope, Damian is responsible for overseeing corporate security tools and processes and acts as the subject matter expert in the healthcare vertical. He also serves as an adjunct professor for the cybersecurity program at the University of Advancing Technologies in Tempe, AZ.
As we head into year three of the pandemic, COVID management continues to consume a majority of healthcare resources. As a side effect, many elective surgeries over the last two years have been put on hold in favor of treating COVID patients. Elective procedures are where most medical institutions make their margins—and this shortfall is ultimately impacting budgets for IT and security advancements.
From March to May 2020 alone, hospitals lost more than $20 billion in revenue when the first phase of the pandemic led to an unprecedented nationwide shutdown in elective surgeries. “Elective” surgeries may include cosmetic as well as time-sensitive procedures—such as screenings, biopsies, hernia repairs, and valve replacements—where delays can worsen the chances of disease morbidity and even patient mortality. The projected recovery time for these postponements ranges anywhere from 4 to 164 months, depending on the institution.
But those losses didn’t stop with that first intense wave of COVID. By some estimates, healthcare organizations in the U.S. continued to lose an estimated $54 billion in net income in 2021 with more than a third of U.S. hospitals maintaining negative operating margins.
Ransomware ratcheting up healthcare risks
Simultaneous to less revenue being generated, ransomware attacks against healthcare systems have spiked during the pandemic. Cybercriminals have been callously opportunistic about leveraging the circumstances of a mass disaster for their personal enrichment. Two-thirds (67%) of healthcare delivery organizations report having been victims of ransomware; another one-third say they’ve experienced two or more attacks.
The healthcare industry also sustained the highest average cost of a data breach for the eleventh consecutive year. The average total data cost for a healthcare breach increased by nearly one-third year-over-year—from $7.13 million in 2020 to $9.23 million in 2021. The damages done by a successful attack drive a hospital into an even deeper budgetary crisis. Ireland’s healthcare system is still recovering from a widespread ransomware attack that happened last year—with a total cost projection of more than $100 million. Closer to home, a massive cyberattack last May cost a major California healthcare provider $112.7 million, with lost revenue-bearing most of the cost. But financial losses aren’t even the worst potential outcome to worry about.
Another recent survey noted that nearly one-in-four healthcare providers reported an increase in patient mortality due to ransomware. Case in point—one pending lawsuit alleges that a severe ransomware attack at a hospital in Alabama compromised the quality of care and availability of fetal monitoring equipment—leading to the eventual death of a newborn. The filing is the first credible public claim linking the loss of a human life directly to a cyberattack. Ransomware also contributed to the circumstances surrounding a German woman’s death in September 2020.
Security is stuck in the middle
Despite rapidly escalating risks, many clinicians also continue to resist strict network controls that could inhibit access to information and communications to treat patients and save lives. When I talk with healthcare security leaders, they all feel the pressure that any decision they make right now could be impacting a life in one way or another. A common thing that’s happening is when they go to install a new network or security control to reduce the hospital’s attack surface, doctors respond by saying, “Well, if you do that, you're going to harm my patient.” There aren’t many other industries where security teams have to also worry about directly protecting people’s lives.
Security professionals are really stuck in the middle. You want to be able to do your job to protect the broader network from attack, but you also don't want to implement a control that might impact a patient’s quality of care by blocking a doctor’s access to critical, life-saving resources. It feels like a no-win situation for healthcare security teams.
A broader history of healthcare security stagnation
Statistics show that healthcare has fallen behind other industry sectors in its ability to detect, prevent, and mitigate cyberattacks. The average healthcare organization takes 236 days to detect a data breach and 93 days to mitigate damages—versus an overall industry average of 207 and 73 days, respectively. While the criticality of slow and ineffective healthcare security has clearly escalated during the COVID era, the underlying conditions that have led to this crisis have been allowed to persist for years.
Researchers have found that the average healthcare organization spends only about 5% of its IT budget on cybersecurity. By comparison, the financial sector dedicates at least twice as many resources to combatting cyberattacks—retail and corporate banking institutions spent 9.4% of their IT budgets on cybersecurity in 2020, while insurance companies dedicated 11.9%. Another report ranks healthcare 9th in security spending compared to other industries—and this reticence to prioritize security is one of the reasons why healthcare providers are being targeted with such ferocity.
Like any technology department in any other industry, neglect leads to stagnation. You can’t expect anyone to overcome new challenges and rapidly changing conditions using the same old tools, obsolete strategies, and outdated training. While I know many healthcare organizations that are starting to embrace a zero trust approach to security, there is a larger population within healthcare security teams that have become largely stagnant.
Without the necessary resources dedicated to their team year after year, it shouldn’t come as a surprise that healthcare security teams haven’t been able to keep up with the rest of the world in terms of modern cybersecurity strategies. And while the industry faces an acute cybersecurity crisis today, the conditions leading up to this stem from chronic neglect.
Surviving the storm means prioritizing security
Healthcare security leaders are facing a perfect storm of fewer budgetary resources and a “damned if I do, damned if I don’t” choice between ransomware and quality of care. Surviving these unprecedented conditions requires action and innovation—as opposed to a passive “ride it out” approach. But despite the exorbitant costs and high frequency of attacks, only 11% of healthcare IT executives said that cybersecurity is a high priority in a recent survey—and two out of three respondents said they didn’t even track return on investment (ROI) for cybersecurity spending.
Healthcare leadership urgently needs to prioritize investment in modern cybersecurity tools and training. Specifically, they need security that supports contextual controls and better visibility across networks in order to protect healthcare organizations from ransomware and other sophisticated attacks without blocking clinician access to life-saving resources.
About the author: Damian Chung is a cybersecurity leader with over ten years of security experience focused in healthcare. As the business information security officer at Netskope, Damian is responsible for overseeing corporate security tools and processes and acts as the subject matter expert in the healthcare vertical. He also serves as an adjunct professor for the cybersecurity program at the University of Advancing Technologies in Tempe, AZ.