Zakir Hussain, CEO, BD Software Distributor throws light on the four healthcare cybersecurity predictions for 2023
Over the past few years, the healthcare industry has undergone a major transformation compared to other industries. The pandemic has forced healthcare companies to find new digital-first methods to serve their customers and adopt digital infrastructure services to maintain business operations.
This shift has led to the rise of telehealth services and an increase in the adoption of SaaS partners, IoT devices, and digital infrastructure. As a result of this shift towards digitalisation, healthcare industries have left themselves overexposed to risks and attacks. This is largely why healthcare companies have experienced a 69 per cent increase in the volume of cyber-attacks, the highest of any other industry.
Now that much of the world is finding its footing, the challenge for 2023 is understanding how to adapt to a post-COVID world that incorporates this new digital transformation in ways that address cybersecurity as well as new, emerging threats. For healthcare industries – this requires balancing their digital initiatives with cybersecurity and implementing a thorough, comprehensive risk management and cyber resilience strategy that’s forward-thinking for 2023 and beyond.
Here are four healthcare cybersecurity predictions for 2023 healthcare leaders should be aware of:
Device security will be a major priority
The use of IoT devices and connected medical devices have always posed a risk to healthcare organisations, due to poor security in the devices themselves [1] and because healthcare organizations generally don’t take the necessary precautions to minimize the risk of a breach. IoT device usage, however, is expected to increase [2] and as manufacturers pay attention to security, the onus of securing these devices and the connecting networks will fall on security department leaders [3]
Remote care and telehealth services are also projected to increase [4]. This is offsite care that will still require ongoing monitoring and additional devices that can relay information wirelessly and also be part of a patient’s overall treatment. Healthcare organisations shouldn’t fall into the same trap as medical devices and ignore potential security harms, especially since an attacker may now be able to attack a patient’s personal network, creating a new legal risk for healthcare providers.
Security leaders will need to handle an increasingly complex environment full of potentially insecure devices while also ensuring that new remote care and telehealth initiatives don’t expose the company to cyber, compliance, or litigator risk.
Attacks other than ransomware are likely to increase
Since the pandemic, ransomware attacks have seen a dramatic increase, rising 105 per cent in 2021 [5], and 94 per cent over the last year for healthcare organizations [6]. In 2023, however, we may see a less pronounced increase in the amount of ransomware attacks for a number of reasons. The dramatic drop in cryptocurrency values [7], the most common form of payment for ransomware attacks, may lead to attacks having a lower payoff [8], given the volatility of cryptocurrency prices.
The rise of ransomware overall, has been well documented and both organisations across industries as well as security vendors, tools, and partners have worked to minimise the risk and effectiveness of these attacks.
These factors might lead to attackers to shift their attacks from ransomware to other kinds of attacks that may have a higher success rate. This can include BEC attacks, ransomware, phishing, and ransom DDoS attacks [9], where attackers shut down a company’s servers or website until a ransom is paid. Hackers know that the healthcare industry is a prime target, so they may be the primary target for these new attacks, requiring healthcare organisations to focus on more than just ransomware with their cybersecurity strategy.
Cybersecurity leadership will finally be prioritised
The healthcare industry has always struggled with cybersecurity, largely due to a lack of priority, resources, and leadership. The last few years have introduced complexity [10], increased the average attack surface, and seen much more aggressive moves from malicious attackers who ramped up their attacks, particularly ransomware.
Despite these new and expanded risk factors, few healthcare organisations shifted their strategy and committed more resources to cybersecurity and IT departments. This led to the healthcare industry to be underprepared and underfunded to combat these new threats. For example, hospital cybersecurity spending, on average, only accounts for 5 per cent of IT spend.[11]
In the new year, we expect healthcare leaders to finally take action, commit more resources to cybersecurity, and have a leadership position who is responsible for developing a comprehensive cybersecurity strategy that proactively manages risk, builds resilience and prepares the organisation for prevention, detection, and response capabilities.
While this may not necessarily be a new role, such as CISO, it may be part of an expanded responsibility set for the CIO, CRO, CTOO, or organisational equivalent.
Companies will look towards managed services to optimise budgets
Despite the increase in priority for cybersecurity, risk, and threat management, the economic uncertainty and fears of recession will likely lead to tighter budgets and more scrutiny on spending, which is likely to affect technology and cybersecurity departments.
Whether more money will be devoted to cybersecurity or not, it’s important to be cost-conscious without compromising on cybersecurity. Leaders in the healthcare industry have identified managed services [12] to be a much more attractive option compared to building out a cybersecurity department that’s likely to balloon in costs. We’ve also mentioned before [13] how increasing the number of security tools and vendors in a company’s environment won’t make the impact desired if there’s no cybersecurity department available to maximise tools.
Healthcare leaders need to prioritise having a comprehensive cybersecurity strategy in 2023. How healthcare organisations respond, adapt, and prioritise their cybersecurity will dictate how they fare among their peers. Data breaches are costly, compliance risks can’t be ignored [14], and a successful attack may be devastating for an healthcare organization and its patients if a proactive strategy isn’t in place. To find success in cybersecurity, and to truly adapt and react to today’s (and tomorrow’s) threat-laden environment, a full-fledged cybersecurity strategy is required.
References:
[4] https://www.armis.com/blog/5-healthcare-cybersecurity-predictions-for-2023
[5] https://fortune.com/2022/02/17/ransomware-attacks-surge-2021-report/
[6] https://venturebeat.com/security/healthcare-ransomware-attacks-are-increasing-how-to-prepare/
[7] https://edition.cnn.com/2022/11/10/investing/bitcoin-crypto-ftx-gold/index.html
[8] https://www.protocol.com/fintech/crypto-crash-ransomware