The healthcare industry has been plagued by cybersecurity issues for decades, as hospitals and other care facilities typically lack the time and funding to keep digital devices totally up-to-date. Still, most organizations conform to compliance laws about information security, so few healthcare institutions were overly concerned about existing cyberthreats.
However, the WannaCry ransomware crisis that afflicted the U.K.’s hospitals served as a significant wakeup call: Healthcare tech is even less secure than experts thought. That so many institutions still rely on Windows XP, that so many institutions fail to complete the most basic of security practices, was a shock to many in the cybersecurity field, and healthcare administrators around the world began scrambling for solutions.
Reactions to WannaCry and Other Recent Cyberthreats
Admittedly, the healthcare industry and others are hardly out of the woods when it comes to WannaCry. The ransomware worm, which exploits network file-sharing protocols of infected machines to spread from device to device, attacked nearly half a million computers around the world in just 14 hours on May 12, 2017. Though the efforts of cybersecurity professionals and the media have dampened WannaCry’s rapid pace, the malware is far from dead, and healthcare organizations still have much to fear from the dangers lurking on the web.
Governments around the world have reacted to WannaCry in various ways. For example, Russia confidently believes the threat has passed, while Israel and India remain concerned and on high alert. The United States has increased its security spending and has offered aid to domestic and international institutions that have suffered from the attack.
Lee Kim, director of privacy and security at the Healthcare Information and Management Systems Society (HIMSS), is optimistic about WannaCry’s effects. In response to the crisis, healthcare institutions were forced to consider and invest in their cyber-defenses. If nothing else, WannaCry alerted the healthcare world to the reality of cyberthreats. In response, all but the smallest of healthcare practices have begun research into healthcare cybersecurity software, security firms, and security staff, all of which will keep their devices, data, patients, and workforce safe and operational.
On one hand, WannaCry was hardly a success for its creators: The malware barely netted over $100,000, and less than half of that has been collected by the hackers.
On the other hand, WannaCry stands as an exemplar for how destructive malware can be. Cybercriminals of the near-future can follow in WannaCry’s footsteps to create equally devastating, more profitable programs, and if healthcare institutions remain as unprepared as they did for this year’s major attack, they stand almost no chance of surviving the certain future onslaught. Thus, as Kim suggests, healthcare organizations need to invest in those technologies that will keep everyone safe as threats evolve – but most organizations are afraid of the costs.
The Costs of Security — And the Costs of Insecurity
Keeping devices, networks, and organizations safe from digital threats isn’t free – and it isn’t even cheap. Healthcare institutions must acquire and maintain hardware, software, and trained staff, the costs of which often amount to over a million dollars every year for large hospitals and care organizations. Smaller practices must devote a sizeable portion of their administrative budget to complying with security regulations, let alone protecting their devices and data with the latest cybersecurity tech and techniques. Worse, as demand for cybersecurity increases, security costs will undoubtedly increase; in 2015, the cybersecurity industry was worth $75 billion, and experts predict the industry to grow to nearly $232 billion by 2022.
Unfortunately, not all healthcare institutions can afford such significant costs. Technology is developing faster than healthcare organizations can adapt, and the constantly shifting security needs are putting many organizations outside their budgets without making their data or devices as safe as necessary. When presented the choice between purchasing life-saving medicines and tools and investing in cybersecurity, most healthcare administrators opt for the former.
Investing in any digital technology, including cybersecurity, often seems like a risk. Data management and security tools could easily become money pits which prevent healthcare centers from providing the care for which they are responsible. However, allowing insecurity is more than a financial risk – it is certain financial doom. Already, cybercrime costs U.S. businesses hundreds of billions of dollars each year, and by 2019, that figure might rise to over $2 trillion. Healthcare organizations cannot afford to lose anything to criminals – neither the money cybercriminals steal nor the time required to recover from cyber-attacks. In the end, the costs of insecurity vastly outweigh the costs of security, and healthcare institutions must realize this fast.