Healthcare’s cybersecurity challenges have shined a light on how the industry has failed to protect patient data by not dedicating enough resources to address the problem.
Health systems and insurers are dealing with the aftermath of the industry’s latest large-scale ransomware attacks on St. Louis-based Ascension, UnitedHealth Group's Change Healthcare and Chicago-based Lurie Children's Hospital, among others. Conversations are happening over whether organizations should be bringing in outside consultants or hiring more employees, executives say.
Related: Change Healthcare attack: What to know about cybersecurity
“Do we have enough people? Do we need consulting help to accelerate resiliency projects and testing? Those are the conversations going on right now," said James Case, chief information security officer at Jacksonville, Florida-based Baptist Health. "The current climate is causing us to bubble those conversations to the top, and whether we should get help one way or another.”
What’s clear is hackers have their sights set on healthcare. In 2023, a record 133 million individuals were potentially affected by healthcare data breaches, according to the Health and Human Services Department's Office for Civil Rights breach portal. Through April this year, 280 breaches have been reported affecting more than 32.5 million people. Those numbers don't include the impact of the Change Healthcare breach and other recent cyberattacks.
One of the biggest challenges healthcare organizations face in dealing with these threats is hiring qualified talent, according to a survey of cybersecurity professionals within the industry the Healthcare Information and Management Systems Society published in March. Nearly 75% of respondents said recruiting employees for cybersecurity roles was a major workforce challenge, with most saying it comes down to budgeting challenges.
About 300 people are working on cybersecurity at Renton, Washington-based health system Providence, said Chief Information Security Oficer Adam Zoller. The employees are split geographically, with 40% in India and 60% in the U.S. While the Providence executive team and board will provide the resources if needed, it can be hard to hire the best cybersecurity talent when they're competing with other industries that pay higher salaries, Zoller added.
“Every dollar I spend on security is a dollar that comes out of a hospital's pocket to provide patient care,” he said. “You go for the best talent to solve the problem that you have in front of you. And ultimately not everyone's going to accept your offer if you're coming in at half of what a Facebook analyst gets paid.”
Cybersecurity is a 24/7 issue, which makes it hard to find people for night shifts, Zoller said. Even if they can find people to work overnight, there’s usually a high turnover rate, he said. That’s why Providence’s team in Hyderabad, India, is trained and ready to respond if a breach were to occur in the middle of the night.
“Having a global ‘follow the sun’ approach has been very helpful to us,” Zoller said.
Instead of hiring full-time employees, systems can bring in third-party companies that have experts who can manage data privacy operations at all hours of the day, said Lee Kim, senior principal of cybersecurity at HIMSS. But the best of these organizations will command top dollar, which may be beyond the the budget at many health systems, she said.
While health systems weigh adding more cybersecurity staff or third-party consultants, most are focused primarily on education and readiness with their current employees and IT systems. A lot of Baptist's work in the last few months has been increasing organizational preparedness by continuously refining its phishing tests and training, Case said.
"The bad guys are getting smarter, faster and more organized," Case said. "AI is helping them improve the speed, targeting and believability of their phishing emails."
No perfect cybersecurity staffing ratios exist, and there isn't an industry gold standard, said Zachary Durst, a senior associate at executive search firm WittKieffer. Healthcare chief information security officers must work with what they’ve been given, he added. Some systems are using a hybrid approach, in which a health system outsources some functions to third-party companies and works on more complex issues with an in-house team.
“You have to be creative in how you build out your [data security] team,” Durst said. “Maybe a [third-party company] provides tier one and tier two support, but tier three support is coming through an in-house team. You can limit the kind of run rate on the salaries you're paying, because you're focused on getting a more experienced leader to offset that hybrid model.”
Recent incidents should spur action from executive leadership to ensure organizational readiness, Kim said. This doesn’t just mean hiring more people or bringing on third-party consultants. It also means creating a systemwide governance structure so CISOs aren’t asked to do everything, she said.
“In light of all these cyberattacks, it's a great time to go to your board and say, ‘look, this is a big liability and a big issue. And it could be millions of dollars at stake, and it could be large troves of data. This is no longer simply an issue that I feel like I can deal with alone,’ ” Kim said.