Keeping Health Systems Secure: The Increasing Importance of Cybersecurity
By Jared Teo, HealthQuest Capital (6-minute read)
At HealthQuest, we take “Best Ideas” from our investment professionals and form pods to investigate and develop investment theses. Below we dive into some of the more serious cybersecurity challenges we see facing health systems and explore some innovative solutions and technologies that may be used to combat them.
Health systems are continuously digitizing their operations, leading to rapid growth in sensitive data and increased risks of cyberattacks. This data has tremendous value to criminals, allowing them access to personal identity details, compromising patient security, disrupting medical care, and damaging finances and reputation. Given the devastating consequences, health systems are directing significant attention towards cybersecurity initiatives to protect against these increasingly sophisticated attacks.
Our research highlighted several themes:
Increasing frequency and size of cyberattacks. Patient records are in high demand as they contain some of the most valuable personal data. Yet, health systems seem to have less developed cyber defenses when compared to other industries and are attractive targets for bad actors. The frequency of cyberattacks on hospitals and health systems more than doubled from 2016 to 2021, and the incidents have exposed the protected health information of nearly 42 million patients.[1] The most significant attack in 2022 exposed over 600K patient records.[2]
Growing number of attack surfaces. With the rapid adoption of technology in healthcare, there are now more opportunities for malicious actors to breach health systems. From connected medical equipment and home monitoring devices to a wave of industry mergers and acquisitions, entry points are rapidly increasing.
Hospitals lack the resources to invest in cybersecurity. The global pandemic has presented a unique set of challenges for health systems. Operating margins are often strained, leaving many with limited resources to address outdated and vulnerable platforms. Cybersecurity is especially critical for many smaller hospitals that are often dealing with limited resources and staffing compared to larger organizations with specialized IT teams that can develop more sophisticated cybersecurity practices. With limited resources available, these smaller institutions can be easy targets for hackers.
The impact of an attack is not just confined to IT. In 2022, the consequences of cyberattacks in healthcare were serious; 67% of surveyed healthcare organizations reported that a Business Email Compromise (BEC) and/or ransomware attack disrupted patient care, and 24% acknowledged that ransomware increased the mortality rate.[3] Additionally, a 2022 breach resulted in a $150M impact on a health system due to business disruption and additional IT expenses.[4] Even more concerning is that this industry has the highest cost per breach at an average of $10M per breach – and this does not include the impact of damage to reputation and brand image.[5]
Shortage of skilled cybersecurity professionals. Health systems need qualified cybersecurity talent to protect their data and information, yet this talent pool has become elusive. This shortage leaves health systems vulnerable to debilitating cyber-attacks, making hiring skilled professionals an urgent priority.
Innovative solutions and technologies
Innovative solutions and technologies are essential in safeguarding sensitive patient data and IT systems. From artificial intelligence (AI) powered tools to medical Internet of Things (IOT) management to Identity Access Management (IAM) to blockchain-based systems, here are some of the innovative solutions and technologies we are excited about:
Artificial Intelligence: AI is a particularly attractive technology when it comes to powering healthcare cybersecurity solutions. Capabilities include the ability to:
Analyze historical data to predict and prevent future cyber threats, enabling healthcare organizations to take proactive measures to prevent potential attacks.
Automate the detection and response of threats in real-time, providing faster and more accurate identification of potential threats. For example, AI can help monitor network traffic to detect unusual behavior, such as connections between unrelated devices (e.g., infusion pump to imaging equipment) or user behavior that may indicate unauthorized access to patient records.
Detect advanced threats that traditional rule-based systems may miss, such as zero-day attacks and advanced persistent threats (APTs).
Scale to handle vast amounts of data and identify patterns that may be missed by human analysts, making them particularly effective for healthcare organizations with large volumes of data.
Adapt and learn from new data, continually improving accuracy and effectiveness over time.
Medical IOT management: Solutions that identify, monitor and trigger alerts for connected medical devices. Healthcare organizations are rapidly adopting connected medical devices; however, unlike conventional IT assets (e.g., laptops, tablets, and mobile phones), many of these devices may not be managed by IT teams and traditional security solutions often can't see or secure them. While these devices improve patient care, many seem to lack robust security, often making them easier entry points into an organization’s network. The leading approaches typically monitor behavior with known profile baselines instead of static parameters.
Blockchain: Through its distributed ledger technology, blockchain may be a more secure way for hospitals to store and manage patient health information. Unlike traditional database architectures, a decentralized system allows organizations to share data across multiple stakeholders while seeking to prevent malicious actors' unauthorized access or manipulation of records – providing secure storage of protected health information (PHI). Overall, blockchain technology is still nascent but has the potential to be an impactful enabling technology.
Identity Access Management: IAM is typically designed to be an essential Zero Trust security strategy component. Zero Trust is a security model that assumes every request, user, and device is untrusted, and seeks authentication and authorization before granting access to resources. Unlike a traditional security framework, it is typically designed to not grant unfettered access upon entering a single password.
IAM’s goal is to ensure that only authorized users are granted access and this is often achieved by implementing a combination of technologies and policies that work seamlessly together with minimal disruption to user workflow. In addition to common security technologies like Multi-Factor Authentication (MFA) or Single Sign-On (SSO), a proper IAM solution also incorporates technologies such as Role-based Access Control (RBAC), which assigns permissions to users based on their role within the organization (rather than on an individual basis), and Attribute-based Access Control (ABAC) which grants access to resources based on a set of attributes, such as the user's job title or location.
If you are working on solutions that address the cybersecurity challenges health systems are facing or are interested in this space, please get in touch with our team at HealthQuest.
This material is intended for information purposes only, and does not constitute investment advice, a recommendation or an offer or solicitation to purchase or sell any securities to any person in any jurisdiction. This material may contain estimates and forward-looking statements, which may include forecasts and do not represent a guarantee of future performance. This information is not intended to be complete or exhaustive and no representations or warranties, either express or implied, are made regarding the accuracy or completeness of the information contained herein. The opinions expressed are as of June 2023 and are subject to change without notice. Reliance upon information in this material is at the sole discretion of the reader. Investing involves risks. Past performance is not a guarantee of future results. There is no guarantee any investment strategy will be successful. HealthQuest Capital Management, L.P. is an investment advisor registered with the Securities and Exchange Commission
[1] https://jamanetwork.com/journals/jama-health-forum/fullarticle/2799961
[2] Source is available upon request.
[3] The Cost And Impact On Patient Safety And Care. https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-cyber-insecurity-healthcare-ponemon-report.pdf
[4] Source is available upon request.
[5] Cybersecurity Nightmares: The Cost Of Healthcare Cyberattacks In 2023. https://intraprisehealth.com/the-cost-of- cyberattacks-in-healthcare/