How to Improve Health Care Cybersecurity on a Tight Budget

By Zachary Amos, Features Editor at ReHack

Health care information security has become paramount following cyberattacks targeting the industry. Successful attacks in the past have proven to be costly in terms of both financial and reputational losses.

At first glance, the solution seems rather straightforward — implement a more robust cybersecurity system. However, health care organizations must find ways to ensure the integrity of their digital infrastructure amid a series of funding cuts.

Cybersecurity Challenges in Health Care 

Information technology in the health care sector covers many systems, including electronic health records (EHRs), health tracking devices, medical equipment and software. These digital systems simultaneously represent potential access points for data breaches, making them prime targets for cybercriminals. The rate of attacks intensified in 2023, with 640 health care data breaches reported. 

Phishing remains the most common vector, with 95% of cyberattacks in 2022 beginning with an unsuspecting click on a malicious link. Other possible vectors include medical device vulnerabilities, ransomware and distributed denial of service (DDoS) attacks. Broadly speaking, three main cybersecurity issues face the health care industry.

Safeguarding Patient Data

According to Verizon, 77% of compromised data came from patients’ personal information in 2020. Cybercriminals mainly use these private details for financial gain. For instance, they might pose as the patient to submit fraudulent health insurance claims or force them to pay a hefty ransom to maintain confidentiality. 

Upgrading Costs 

Moving to a more robust security system means buying and installing new technologies and training staff. There are also costs associated with compliance processes to certify new equipment. Yet, upgrades are challenging to implement, as most health organizations allocate no more than 6% of their IT budgets to cybersecurity.

Reporting Challenges 

According to the U.S. Department of Health & Human Services, only health data breaches involving at least 500 individuals must be reported immediately. This presents reporting challenges, especially since a breach affecting less than 500 individuals can be just as devastating.

Stricter Budget Parameters 

Budget cuts are popping up across the health care industry, raising concerns over organizations’ capacity to prevent cybersecurity incidents without impacting patient care. At the start of 2023, significant health care funding cuts to Medicaid and the Affordable Care Act were already being discussed in the House of Representatives. Health care providers will also feel the pinch. Industry experts predict a 7% increase in health care costs in 2024, perhaps more with the 3.4% payment cut for physicians already underway. 

Making the Most of Health Care Cybersecurity Budget 

Health care providers and stakeholders must determine how to maintain solid, up-to-date cybersecurity systems with limited resource allocation. Follow these tips to get started.

  1. Do a Top-Down Cybersecurity Audit

Conducting a comprehensive review can help organizations identify potential gaps in their security infrastructure. It also allows them to establish a baseline of what they’re doing and what they’re not. An audit reveals issues and priorities so stakeholders can make informed decisions about where to allocate funds.

Reviewing current security policies regarding data integrity and confidentiality is a good way to begin. Auditors can better classify data and identify how much security is required to safeguard it. In the case of health care institutions, just about every bit of data stored and transmitted requires top-of-the-line protection.

  1. Consolidate Vendors

Many cybersecurity vendors offer multiple service options. Merging budgets with a single vendor can lower costs, as the medical facility can leverage its purchasing power to negotiate better prices and exclusive discounts. It can also lead to cost savings on administrative tasks like invoicing and contracts. So, it’s essentially more security coverage with lower overheads.

Consolidating vendors reduces the complexities of installing and maintaining a secure network. Hospitals can access all necessary security controls on a single platform, enabling quicker incident responses and improving efficiency.

  1. Update Security Tools and Software

Cyber threats evolve constantly, hence the need to create a process to keep security devices and systems updated. Installing regular updates deploys the latest security patches to the organization’s existing infrastructure for improved performance and optimized workflows.

With a limited budget, keeping every security software and tool up to date can take time and effort. Organizations should take advantage of cyber risk frameworks and prioritize updating systems that meet the requirements of these frameworks. For example, the health care cybersecurity guideline recommends automatic updates for intrusion prevention systems and antivirus software.

  1. Create a Culture of Cybersecurity

This includes regularly training employees in cybersecurity best practices, restricting access to sensitive data and having an up-to-date incident response plan. Cybersecurity culture starts in the boardroom. Getting the C-suite to buy in for strategic decisions around cybersecurity makes it easier to maintain a solid system and implement ongoing improvements.

  1. Tap into Free Resources and Grants 

The U.S. government’s 405(d) Program provides impactful tools and insights to improve the health care industry’s ability to mitigate cyber risks. Hospitals operating on tight security budgets can utilize these free resources to shore up their security infrastructure.

Some medical organizations may also be eligible for the State and Local Cybersecurity Grant Program by the Department of Homeland Security. This program offers funding for public entities at high risk of cyber attacks to mount more robust defenses. Federal, state and local health agencies fall under this purview.

Improve Health Care Cybersecurity 

Enhancing cybersecurity is a critical concern in the health care industry, even more so now amid a wave of budget cuts. No provider is 100% immune from cyber attacks, so stakeholders need to begin treating digital assets as they would patients. Just as health care professionals seek to provide excellent patient care, they must also address vulnerabilities in their information security network with similar focus and dedication.

As the Features Editor at ReHack, Zac Amos writes about cybersecurity, artificial intelligence, and other tech topics. He is a frequent contributor to Brilliance Security Magazine.

Follow Brilliance Security Magazine on Twitter and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information.