SEIZE THE $50 BILLION SITE-OF-CARE SHIFT OPPORTUNITY
Get the tools, data, and insights to drive growth.
Learn more
RECALIBRATE YOUR HEALTHCARE STRATEGY
Learn 4 strategic pivots for 2025 and beyond.
Learn more

Daily Briefing

Cyberattacks are on the rise. Here's how to prepare.


In a recent webinar, John Riggi, the American Hospital Association's national advisor for cybersecurity and risk, explained the danger hospitals and health systems face from a growing number of cyberattacks, as well as what leaders can do to prepare for these attacks at their organizations. 

The growing impact of cyberattacks

According to Riggi, the number of ransomware and other cyberattacks against hospitals and health systems have increased in the last few years due to healthcare's growing reliance on network and internet-connected technology.

In IBM's Cost of a Data Breach 2022 report, healthcare was the industry most significantly affected by data breaches. Each breach costs healthcare companies an average of $10.1 million, and losses may be large enough to force some hospitals out of business.

These attacks also often disrupt and delay healthcare services, which can then negatively impact patient safety and outcomes.

"Attacks that take place in real time cause direct losses to hospitals, which have to reroute patients, deny care, lose access to electronic health records and see the risk to human lives rise as a result of the attack," said Limor Kessem, a principal consultant in cyber crisis management for IBM's Security X-Force. "That's on top of staff distress and having to revert to manual procedures and paperwork."

It can also take months for a hospital or health system to recover from a cyberattack. For example, Johnson Memorial Health was hit by a cyberattack in October 2021 and did not return to near-normal operations until almost six months later. The organization has also struggled with costs from the cyberattack, including seeing its annual insurance premium increase by 60%.

"That is an incredible increase in cost over the last three or four years and...when your claims aren't paid, it can be even more frustrating," said Johnson Memorial CEO David Dunkle. "We are investing so much in cybersecurity right now that I don't know how small hospitals will be able to afford [to operate] much longer."

How to prepare for a cyberattack

To help hospitals and health systems effectively prepare for cyberattacks, Riggi offers four key tips:

1. Take a multidisciplinary approach to your emergency response plans

When developing emergency response plans for cyberattacks, be sure that leaders across the organization, clinical staff, emergency managers, and other stakeholders are all included.

Partnering with your local community and coordinating with other healthcare organizations can also help mitigate the effects of a cyberattack across a region. Establishing prearranged channels of communication can make it easier to share information across organizations.

2. Expect cyberattacks to happen and plan for longer recovery times

According to Riggi, organizations should prioritize cybersecurity investments, with consideration toward the long-term effectiveness and reliability of these solutions.

Organizations should also educate and train their staff, conduct phishing exercises, and have several plans for incident response, disaster recovery, and business continuity in place. Cyber incident response planning should also be integrated with emergency response planning, and there should be department-specific plans to help identify high-risk patients and ensure continuity of care if an attack occurs.

Over time, leaders should continue to work closely with staff to continually refine processes and gather feedback.  

3. Create an evidence base of cybersecurity best practices

Riggi recommends organizations invest in research evaluating the effectiveness of different cybersecurity interventions. Organizations should also share their findings to help improve cybersecurity efforts across the entire healthcare industry.

4. Carefully evaluate new technologies and vendors

Organizations should practice due diligence when evaluating outside resources to reduce attacks. They should also encourage accountability, evidence-based practices, and stronger security measures from technology vendors. (Riggi, American Hospital Association, 10/2)


Access our cybersecurity resource library

To get started, use this resource page to guide you through the following steps for becoming a cyber resilient organization:

1. 3 steps to (finally) address your cybersecurity 'elephant in the room'

2. How to be a cybersecurity sentinel

3. Scripps CEO: What we learned from being attacked by ransomware


SPONSORED BY

INTENDED AUDIENCE

AFTER YOU READ THIS

AUTHORS

TOPICS

INDUSTRY SECTORS

Don't miss out on the latest Advisory Board insights

Create your free account to access 1 resource, including the latest research and webinars.

Want access without creating an account?

   

You have 1 free members-only resource remaining this month.

1 free members-only resources remaining

1 free members-only resources remaining

You've reached your limit of free insights

Become a member to access all of Advisory Board's resources, events, and experts

Never miss out on the latest innovative health care content tailored to you.

Benefits include:

Unlimited access to research and resources
Member-only access to events and trainings
Expert-led consultation and facilitation
The latest content delivered to your inbox

You've reached your limit of free insights

Become a member to access all of Advisory Board's resources, events, and experts

Never miss out on the latest innovative health care content tailored to you.

Benefits include:

Unlimited access to research and resources
Member-only access to events and trainings
Expert-led consultation and facilitation
The latest content delivered to your inbox
AB
Thank you! Your updates have been made successfully.
Oh no! There was a problem with your request.
Error in form submission. Please try again.