Over the past few years, the healthcare industry has undergone a major transformation compared to other industries. The pandemic has forced healthcare companies to find new digital-first methods to serve their customers and adopt digital infrastructure services to maintain business operations. A KPMG study has found that 63% of healthcare organizations are making progress on their digital agenda, compared to 44% of organizations in other industries.
This shift has led to the rise of telehealth services and an increase in the adoption of SaaS partners, IoT devices, and digital infrastructure. As a result of this shift towards digitalization, healthcare industries have left themselves overexposed to risks and attacks. This is largely why healthcare companies have experienced a 69% increase in the volume of cyber-attacks, the highest of any other industry.
Now that much of the world is finding its footing, the challenge for 2023 is understanding how to adapt to a post-COVID world that incorporates this new digital transformation in ways that address cybersecurity as well as new, emerging threats. For healthcare industries - this requires balancing their digital initiatives with cybersecurity and implementing a thorough, comprehensive risk management and cyber resilience strategy that’s forward-thinking for 2023 and beyond.
Here are 4 healthcare cybersecurity predictions for 2023 healthcare leaders should be aware of.
1) Device security will be a major priority
The use of IoT devices and connected medical devices have always posed a risk to healthcare organizations, due to poor security in the devices themselves and because healthcare organizations generally don’t take the necessary precautions to minimize the risk of a breach. IoT device usage, however, is expected to increase and as manufacturers pay attention to security, the onus of securing these devices and the connecting networks will fall on security department leaders.
Remote care and telehealth services are also projected to increase. This is offsite care that will still require ongoing monitoring and additional devices that can relay information wirelessly and also be part of a patient’s overall treatment. Healthcare organizations shouldn’t fall into the same trap as medical devices and ignore potential security harms, especially since an attacker may now be able to attack a patient’s personal network, creating a new legal risk for healthcare providers.
Security leaders will need to handle an increasingly complex environment full of potentially insecure devices while also ensuring that new remote care and telehealth initiatives don’t expose the company to cyber, compliance, or litigator risk.
2) Attacks other than ransomware are likely to increase
Since the pandemic, ransomware attacks have seen a dramatic increase, rising 105% in 2021, and 94% over the last year for healthcare organizations. In 2023, however, we may see a less pronounced increase in the amount of ransomware attacks for a number of reasons. The dramatic drop in cryptocurrency values, the most common form of payment for ransomware attacks, may lead to attacks having a lower payoff, given the volatility of cryptocurrency prices.
The rise of ransomware overall, has been well documented and both organizations across industries as well as security vendors, tools, and partners have worked to minimize the risk and effectiveness of these attacks.
These factors might lead to attackers to shift their attacks from ransomware to other kinds of attacks that may have a higher success rate. This can include BEC attacks, ransomware, phishing, and ransom DDoS attacks, where attackers shut down a company’s servers or website until a ransom is paid. Hackers know that the healthcare industry is a prime target, so they may be the primary target for these new attacks, requiring healthcare organizations to focus on more than just ransomware with their cybersecurity strategy.
3) Cybersecurity leadership will finally be prioritized
The healthcare industry has always struggled with cybersecurity, largely due to a lack of priority, resources, and leadership. The last few years have introduced complexity, increased the average attack surface, and seen much more aggressive moves from malicious attackers who ramped up their attacks, particularly ransomware.
Despite these new and expanded risk factors, few healthcare organizations shifted their strategy and committed more resources to cybersecurity and IT departments. This led to the healthcare industry to be underprepared and underfunded to combat these new threats. For example, hospital cybersecurity spending, on average, only accounts for 5% of IT spend.
This need for healthcare cybersecurity has also caught the eye of the US government. On October 13th, the Deputy National Security Advisor for Cyber and Emerging Technology announced that new cybersecurity standards for the healthcare industry may be coming in the near future.
In the new year, we expect healthcare leaders to finally take action, commit more resources to cybersecurity, and have a leadership position who is responsible for developing a comprehensive cybersecurity strategy that proactively manages risk, builds resilience and prepares the organization for prevention, detection, and response capabilities.
While this may not necessarily be a new role, such as CISO, it may be part of an expanded responsibility set for the CIO, CRO, CTOO, or organizational equivalent.
4) Companies will look towards managed services to optimize budgets
Despite the increase in priority for cybersecurity, risk, and threat management, the economic uncertainty and fears of recession will likely lead to tighter budgets and more scrutiny on spending, which is likely to affect technology and cybersecurity departments.
Cybersecurity often has minimal resources to begin with but there is good news. Analysis and research from BCG shows that while many IT buyers are likely to fear a recession, they’re expecting to increase spending, particularly across digital services, including cybersecurity.
Whether more money will be devoted to cybersecurity or not, it’s important to be cost-conscious without compromising on cybersecurity. Leaders in the healthcare industry have identified managed services to be a much more attractive option compared to building out a cybersecurity department that’s likely to balloon in costs. We’ve also mentioned before how increasing the number of security tools and vendors in a company’s environment won’t make the impact desired if there’s no cybersecurity department available to maximize tools.
In 2023, MDR, XDR, and MSSPs are likely to be popular cybersecurity vendors for healthcare organizations who are committed to managing their risk effectively.
Healthcare leaders need to prioritize having a comprehensive cybersecurity strategy in 2023
How healthcare organizations respond, adapt, and prioritize their cybersecurity will dictate how they fare among their peers. Data breaches are costly, compliance risks can’t be ignored, and a successful attack may be devastating for an healthcare organization and its patients if a proactive strategy isn’t in place. To find success in cybersecurity, and to truly adapt and react to today's (and tomorrow’s) threat-laden environment, a full-fledged cybersecurity strategy is required.
Leaders need to consider cyber risk as organizational risk and develop a strategy that incorporates the company roadmap and overall goals in order to effectively secure the organization as it grows and expands. They also need to optimize any resources available and prioritize securing their expanded attack surface and ensuring any new tools, technologies, or partners result in a fast time to value.
The use of managed services is a promising trend and likely to be a major difference maker in the success of a healthcare company’s cybersecurity strategy. Given the priorities and risks involved, building out an entire cybersecurity department would take too long and likely result in a less effective cybersecurity strategy. The talent shortage is still a struggle for many companies so it’s not even guaranteed that a department can be filled even if the budget is there for additional workers.
Using one of the managed services such as MDR, XDR, or MSSPs can help alleviate the burden of having a cybersecurity department while also taking advantage of having 24/7 support, which can be crucial in case of an attack. This is a cost-effective way to have proactive security expertise working to detect, remediate, and respond to cybersecurity incidents. Finding a cybersecurity partner that prioritizes quick onboarding can help an organization realize time to value much more effectively than having an in-house strategy.
To learn more about these managed services, check out Bitdefender’s Managed Detection and Response.