Is cybersecurity spending too low to prevent another Change breach?

Healthcare’s lack of investment in cybersecurity is in the spotlight as the Change Healthcare breach continues to disrupt the industry.

On Feb. 21, Change Healthcare, which processes 15 billion transactions a year, suffered a ransomware attack that has caused ripple effects throughout the healthcare system, hampering operations and finances for hospitals, physician offices, pharmacies, insurers and patients. Cybersecurity professionals are sounding the alarm on future attacks if healthcare organizations don't start putting more financial resources into protecting their data. 

Read more: HIMSS24: Change Healthcare outage is the elephant in the room

“The landscape has changed. The threats are higher,” said David Ting, chief technology officer and founder of cybersecurity company Tausight. “We should be going to DEFCON 2.”

Healthcare organizations spent an average of 8.1% of their total IT budget on cybersecurity, according to a report from cybersecurity consultancy and research firm IANS Research and recruiting firm Artico Search published last September. Only the retail sector ranked lower in IANS' analysis.

Experts say this lack of spending is a reason why 2023 was the worst year on record for data breaches targeting the  healthcare industry. To make matters worse, healthcare data breaches have been the most expensive of any industry for 13 consecutive years. 

Erik Decker, vice president and chief information security officer at Salt Lake City-based Intermountain Health, said cybersecurity expenditures as a percentage of revenue is how organizations should analyze their spending in this area. He said cybersecurity should have the same criteria as other operating expenses and not necessarily be tied to a smaller budget.

“There’s not a magic number because every institution is going to be different,” Decker said. “But there are good ranges.”

The Healthcare & Public Health Sector Coordinating Council, a public-private partnership, along with the Health and Human Services Department and the Centers for Medicare and Medicaid Services, published an analysis on cybersecurity resiliency within healthcare in May 2023. Large health systems ranked in the upper quartile when they allocated between 0.42% to 0.75% of revenue to cybersecurity.

Large health systems struggle with cybersecurity when they allocate less than 0.42% of their revenue to cybersecurity. Smaller providers struggled overall with investing in cybersecurity resources, the report found. 

“They’re balancing between: ‘Do we buy an MRI or do we invest in a backend process like cyber,'" said Decker, who was an author on the Healthcare & Public Health Sector Coordinating Council's report.