As cyber threats continue to rise, healthcare organizations are feeling the heat to protect sensitive patient data. According to a 2023 report by IBM, the healthcare industry experienced the highest average cost of a data breach for the 13th consecutive year, with an average of $10.93 million per breach.
The growing financial and operational risk of cyber threats in 2024 has prompted many medical practices to reassess their cybersecurity strategies. A Sept. 17, 2024, MGMA Stat poll found that more than seven in 10 (72%) medical group practices increased their spending on cybersecurity measures in 2024, while 28% did not. The poll had 326 applicable responses.
The latest poll’s findings echo previous MGMA polling around escalating expenses for medical group practices:
- A July 9, 2024, MGMA poll found that more than one in four (26%) practice leaders said IT was the source of their biggest non-labor rise in expense this past year.
- A 2023 MGMA poll found that nearly three out of four medical groups (74%) reported higher health IT compliance expenses in the previous year.
For those who increased their cybersecurity spending this year, the reasons most cited included:
- Increased costs of cybersecurity insurance
- More threats and risks to the organization, including past breaches
- Implementation of additional security measures, infrastructure updates and employee training.
Several members reported that they faced cyberattacks at their own organizations in the past few years, while others expressed growing concern over the increasing threat. “It's a matter of when, not if,” stated one member. “We have increased spending on insurance as well as additional new security capabilities.”
Many of the organizations that responded “no” to increasing their cybersecurity spending indicated they had already implemented protective measures in previous years. One respondent cited upgrades following a ransomware attack in 2021. Others reported their organizations have implemented general infrastructure improvements like new firewalls, servers and Wi-Fi systems with enhanced built-in security.
Assessing threats today
As cyberattacks become more sophisticated and frequent, healthcare organizations in 2024 are facing some of the biggest security threats to date. In May, a cyberattack on one of the largest healthcare systems in the U.S., Ascension, caused widespread disruption to healthcare operations, including preventing access to EHRs and forcing staff to resort to manual processes for patient care.
This incident highlights the ongoing vulnerability of healthcare systems to ransomware attacks and the devastating consequences of prolonged outages, as seen in earlier breaches like the one involving Change Healthcare in February. According to a March 2024 AHA survey, 94% of hospitals experienced a financial impact from this cyberattack, with over half reporting the impact as “significant or serious.”
Handling outages and downtime
For more information on how to deal with unplanned outages or downtime:
- “Averting crisis with a well-documented plan for EHR, RCM downtime” (MGMA Stat)
- “Crisis Averted: Effective Downtime Protocols for Your Revenue Cycle Operations” (On-demand webinar)
Expanding challenges in healthcare IT
The constantly expanding IT environment in healthcare — with many new cloud-based applications and platforms — adds complexity for IT teams. Managing the sprawl of connected systems is a growing challenge for cybersecurity professionals. For example:
- EHR systems: Cloud-based electronic health records improve access but introduce more entry points for cyberattacks.
- Telemedicine platforms: Virtual consultations link to EHRs and billing systems, expanding vulnerabilities across multiple platforms.
- AI diagnostic tools: AI and machine learning systems rely on cloud data, making them targets for data manipulation or breaches.
- IoT devices: Connected medical devices (e.g., patient monitors, infusion pumps) create security risks if not properly secured.
- Patching and updates: Multiple platforms with different protocols make it difficult to apply consistent security measures across systems.
This rapidly growing IT landscape demands constant vigilance from cybersecurity professionals, as they must track and manage the vulnerabilities and dependencies between these interconnected systems. As healthcare organizations continue adopting more cloud-based solutions, they will need to ensure proper governance, secure configuration, and carry out regular audits to minimize risks while benefiting from digital transformation.
The healthcare industry is also struggling to hire talented cybersecurity professionals. This shortage is driven by multiple factors, including the overall demand for cybersecurity experts across industries and the specialized skills required for healthcare-specific security needs.
- High demand across sectors: Cybersecurity talent is in short supply, with industries like finance and tech attracting top candidates.
- Specialized knowledge gap: Healthcare cybersecurity requires expertise in both IT security and regulations like HIPAA, limiting the talent pool.
- Cost of in-house staff: Smaller practices often can't afford dedicated cybersecurity teams, leaving them vulnerable.
- Outsourcing challenges: Third-party vendors may lack healthcare-specific expertise or provide insufficient support during real-time attacks.
This talent gap makes it harder for healthcare organizations to secure their networks against evolving cyber threats.
AI in healthcare: Addressing new security concerns
In addition to the growing challenges posed by cloud-based platforms, the rise of artificial intelligence (AI) in healthcare has introduced new risks. In a recent MGMA podcast interview, Chris Bevil, Chief Information Security Officer at InfoSystems, Inc. Tennessee, highlighted the importance of developing robust AI policies to prevent the unintentional exposure of sensitive patient data.
"When using tools like ChatGPT or other generative AI platforms, you don’t always know where the data is going," Bevil warns, noting that healthcare organizations must establish clear policies and guardrails for AI use to prevent the exposure of Protected Health Information (PHI) and maintaining compliance with regulations like HIPAA.
Bevil shared a real-world example of how easily AI can be misused in healthcare settings. “At an MGMA state conference, a speaker mentioned using AI for performance reviews, but many didn’t realize the risks of inputting personal data into these tools,” he said. “You need to be cautious and anonymize data to avoid any potential breaches.”
He also recommends forming dedicated committees, which include stakeholders from various areas of the organization, to oversee the use of AI. "It’s critical to have a governance strategy in place before fully integrating AI into your practice," Bevil advises. " Make sure your policies and procedures are updated to reflect AI usage, and always have a compliance plan in case of an incident.”
Bevil will delve deeper into these cybersecurity challenges and opportunities at the 2024 MGMA Leaders Conference during his session, “Navigating Cyber for GenAI in Practice” on Monday, Oct. 7.
Learn more at #Leaders24
Will you be attending the 2024 MGMA Leaders Conference, October 6-9, in Denver? Here are some additional sessions that may help you navigate the ins and outs of cybersecurity in your practice:
- “Become Financially Resilient Through Digital Transformation” (Sunday, Oct. 6)
- “Discussion Group: Navigating Cyber for GenAI” (Monday, Oct. 7)
- “Bold Predictions for the Future of Healthcare” (Tuesday, Oct. 8)
Prevention and response strategies
In a September 22, 2023, MGMA article, “Managing the impact of healthcare data breaches on your organization: Prevention and response strategies,” Lisa Levy, content specialist at Satori, emphasizes that data security be a central focus in healthcare organizations’ strategic planning, warning that breaches not only violate patient privacy but also erode trust and carry substantial financial costs.
In addition to cybersecurity insurance, Levy outlines several key strategies for preventing attacks, such as:
- Upgrading IT systems with advanced firewalls and encryption methods to safeguard patient data.
- Implementing intrusion detection systems to monitor for suspicious activities and alert system administrators in real time.
- Training staff regularly to identify threats such as phishing and ransomware, reinforcing a culture of security awareness.
Levy also recommends having a comprehensive incident response plan in place, to ensure healthcare organizations can respond swiftly and effectively in the event of a breach, limiting damage and maintaining patient trust. She states, "Hope for the best, but prepare for the worst," highlighting the need for preparedness and a well-rehearsed response strategy.
Ultimately, Levy concludes that cybersecurity in healthcare is "not a one-time fix but an ongoing commitment." She says organizations must constantly evolve their defenses to stay ahead of emerging threats, ensuring both the safety of patient data and the protection of their reputation in an increasingly vulnerable digital landscape.
Additional Resources
Join MGMA Stat
Our ability at MGMA to provide great resources, education and advocacy depends on a strong feedback loop with healthcare leaders. To be part of this effort, sign up for MGMA Stat and make your voice heard in our weekly polls. Sign up by texting “STAT” to 33550 or visit mgma.com/stat. Polls will be sent to your phone via text message.
Do you have any best practices or success stories to share on this topic? Please let us know by emailing us at connection@mgma.com.