Navigating the cybersecurity landscape in healthcare
Strategies to future-proof health IT infrastructure
and operations
Insights brought to you by
Slalom Healthcare
By Jacque Myers and Brad Schulteis
Recent cyber incidents including Change Healthcare and Ascension, along with issues created by configuration updates like CrowdStrike, have impacted more than 1 in 3 Americans, disrupting care delivery and resulting in billions of dollars in damages for payers, providers, and consumers. Beyond cyber, service disruptions caused by power grid failures, natural disasters, and supply chain disruptions are straining healthcare operations and underscoring the need for overall resiliency.
Healthcare executives understand the need to invest in cybersecurity and resilience but face competing pressures
and ongoing fiscal constraints. At the same time, the interdependencies across cybersecurity, business continuity, and disaster recovery are more complex than ever before.
The healthcare industry is saturated with policies and frameworks across each of these dimensions, but organizations need a holistic and integrated approach to future-proof health IT infrastructure and business operations. Below are some basic strategies for driving systemic resilience in an austere fiscal environment drawn from existing resources and industry best practices.
Disruptive incidents often require immediate collaboration within and outside of the organization. Establishing strong leadership, governance, and engagement protocols in advance and even conducting regular exercises with representatives of coalitions such as the Health Sector Coordinating Council and Community Emergency Response Teams will help foresee, prepare for, and mitigate potential impacts.
As one of 16 critical infrastructure sectors, the healthcare industry
has access to free resources and services from the Cybersecurity and Infrastructure Security Agency (CISA), including Cyber Resilience Reviews (CRRs). These reviews can be conducted independently or onsite with no-cost support from professionals trained in the use of the CRR. Based on Carnegie Melon’s CERT Resilience Management Model, they cover domains including vulnerability management, external dependency management, and situational awareness. While many organizations have an existing cybersecurity assessment process, the CRR can supplement existing certifications and frameworks with a focus on external collaboration and operational resilience.
Equipped with findings from the review, your task force can develop/update your resilience plan to facilitate continuity of critical services during times of operational stress and crisis. At a minimum, Medicare and Medicaid providers and suppliers must follow core elements of the Emergency Preparedness Rule and Information Security and Privacy Group (ISPG) guidelines, including a comprehensive communications plan for contacting employees, physicians, and members/ patients in the event of a disruptive incident. Most importantly, the plan should
account for coordination across cyber and physical operations within and outside your organization and be actively reviewed and updated at least annually to address the evolving threat landscape.
In an era of escalating climate change, geopolitical volatility, and increasing technology dependence, hypervigilance and preparedness are critical for patient safety. Resilience plans should be cascaded so that every division, team, and individual within your organization understands the response protocols for potential threats and hazards and is equipped with the training and tools to mobilize in support of response and recovery. Beyond preparedness, long-term resilience should be factored into strategy and planning, from workforce development to capacity building and infrastructure investments.
Originating from the cyber defense industry, threat intelligence is the process of gathering, analyzing, and using evidence-based information to help organizations improve their security posture. As healthcare organizations take a more holistic approach to resilience, threat reporting across physical, financial, and cyber hazards should be a regular part of C-suite and board conversations. While physical copies of resilience plans are still critical, implementation should be an ongoing and active part of business operations.
Multi-cloud adoption could reduce the risk of a single point of failure.
Write once read many (WORM) storage processes could mitigate the financial impact of a ransomware attack by providing a backup of the affected data and innovations.
AI threat detection could identify anomalies in network traffic and user activity to flag suspicious behaviors.
Emergency communications
systems could enable coordination within a healthcare facility and with first responders in the event of an electromagnetic pulse (EMP).
Additional resources
CISA Healthcare and Public Sector
Health Sector Coordinating Council (HSCC) Health Industry Cybersecurity – Strategic Plan (2024-2029)
American Medical Association Training: Cybersecurity in Medical Practice
HITRUST
Ransomware attacks have a profound impact on healthcare organizations, causing disruptions in patient care, financial losses, and damage to the organization's reputation (Healthcare IT Today). This underscores the urgent need for healthcare organizations to invest in advanced cybersecurity measures, though budget constraints and competing priorities may pose challenges.
Nearly all health systems now have a Chief Information Security Officer (CISO) or equivalent role, emphasizing the growing recognition of dedicated cybersecurity leadership (MedCity News). However, the effectiveness of these roles may be hindered by organizational silos and insufficient cross-departmental collaboration.
Cyberattacks can cause significant operational disruptions affecting patient (Becker's Hospital Review). Balancing immediate incident response with long-term resilience planning strains resources, requiring substantial organizational change. Operational resiliency strategies must also account for potential service disruptions such as power grid failures, natural disasters, supply chain disruptions, and network outages.
Recent warnings from the Cybersecurity and Infrastructure Security Agency (CISA) about vulnerabilities in Baxter products spotlight the growing risk associated with connected medical devices (MedTech Dive). Ensuring the security of these devices is critical but complicated by the rapid pace of innovation and the need for continuous updates and monitoring.
The increasing sophistication of cyberattacks has led to a cultural shift where healthcare professionals must now prioritize cybersecurity alongside patient care. Building a culture of security awareness is essential, though it may face resistance due to the additional training and behavioral changes required from already overburdened staff (Healthcare IT Today).
The average cost of mitigating a ransomware attack on a healthcare organization is $9.77 million, emphasizing the significant financial impact and the critical need for substantial cybersecurity investments (Tech Target).
Michigan Medicine experiences approximately 500,000 hacking attempts each day, highlighting the constant and pervasive nature of cyber threats in the healthcare sector (MedCity News).
In the first half of 2024 alone, over 250 breaches exposed the sensitive health information of more than 32 million individuals, underscoring the widespread and growing vulnerability of healthcare data (Healthcare IT Today).
Immediate Financial and Operational Risks - The high cost of ransomware attacks necessitates urgent investment in cybersecurity measures to protect against financial losses and operational disruptions (Healthcare IT Today).
Building a Culture of Cybersecurity Awareness - With healthcare organizations experiencing hundreds of thousands of hacking attempts daily, fostering a culture of cybersecurity awareness and resilience among staff is crucial (MedCity News).
Future-Proofing Healthcare Systems - Looking ahead, healthcare leaders must adopt advanced technologies, such as AI-driven threat detection, to future-proof their systems against evolving cyber threats and ensure overall operational resilience (Healthcare IT Today).
Global Healthcare Capability Lead
Jacque leads the bision, strategy, and go-to-market capabilities for Slalom Healthcare. With 18 years of experience across the healthcare ecosystem, Jacque is committed to building solutions at the intersection of strategy and technology to advance fiercely human healthcare.
During her time at Slalom, Jacque has worked with executives from some of the world's leading healthcare organizations to translate bold ideas into pragmatic solutions that improve health equity, economics, and outcomes.
Director of Cloud and Security Solutions
Brad is an accomplished cloud security leader with 20+ years of enterprise IT management experience leading large and small programs in both the public and private sectors.
In his work, Brad focuses on facilitating complex conversations between business, finance, security, and technical team while acting as a champion for cyber security, executive stakeholder management, and driving change throughout large enterprises.
