Cyberattacks, e.g., ransomware, are so common in the healthcare industry these days, we’ve almost become numb to the stories. So far in 2023, more than 220 cyberattacks have targeted healthcare organizations and more than 36 million people were affected. In all of 2022, 44 million people were affected by cyberattacks.1 Staggering numbers like these continue to reveal the focus bad actors have in healthcare.
As the Healthcare IT Risk & Compliance team at FORVIS discusses the increase in attacks with industry leaders, we still see a false sense of security (pun intended) from them. Many leaders feel that with the prevalence of attacks on healthcare, their cybersecurity must be sufficient if their organization has yet to become a victim. It’s the “no news is good news” theory. What we know as professionals with experience in the Healthcare IT Risk & Compliance space is that implementing a robust, proactive approach to cybersecurity risk and compliance management is a great way to help increase protections and decrease the risk, impact, and exposure of a potential attack.
How to Help Prevent Cyberattacks in Healthcare
Step One: Leadership should evaluate their technology and compliance resources—people and financial—to assess their ability to design and implement a proactive risk management and compliance approach. Does the organization have the proper resources, and do those resources have availability to commit to performing a risk analysis and compliance assessment annually? Are the resources experienced in risk management and regulatory compliance requirements? Is it more cost-effective to hire a trusted advisor to perform these functions?
Step Two: Develop a risk and compliance strategy that outlines the goals, frequency, framework(s) to be utilized, key functional areas, key technology and systems, and personnel involved in the execution of the analyses and assessments.
Step Three: Execute the analyses and assessments, making sure a trusted framework is used as the baseline. It’s encouraged to obtain and review evidence rather than perform an inquiry-based assessment.
Step Four: Compile the gaps and issues identified in the assessments and develop corrective action plans to strengthen or remediate. Management should develop detailed action plans, assign plans to an individual or group, and document an estimated completion date.
Reducing downtime is critical to patient care for a healthcare organization’s IT systems. Following the four steps above can help progress your organization in its technology risk and compliance program and foster the adoption of a proactive approach. If you have questions or need assistance to help reduce risk, please reach out to a professional on the Healthcare IT Risk & Compliance team at FORVIS or use the Contact Us form below.
- 1“After a Lull, Ransomware Attacks on Hospitals Are Rising Again,” chiefhealthcareexecutive.com, July 10, 2023