You would think that with all the healthcare cyber-attacks in the news in 2024, cybersecurity would become a priority. The Change Healthcare incident, one of the worst events in recorded history, should have been a wake-up call.
The breach exposed millions of patient records, leading to fear of widespread identity theft and financial loss. Hospitals and clinics were forced to shut down temporarily, severely impacting patient care and trust in the healthcare system. And good luck if you needed a prescription for your medication. Many pharmacies had to resort to paper, resulting in an enormous process backlog. The financial repercussions were enormous, with Change Healthcare potentially facing substantial fines and a plummeting stock price.
Yet, in our conversations with customers, we consistently hear about their uncertainty when it comes to securing budgets for the most pressing initiatives. Many of our customers in healthcare providers are in the CISO organization and want to take a risk-based approach to cybersecurity but have struggled to convey the initiative to others. Some common questions our customers convey to us include:
- Why is it so hard to convince leaders of my security needs?
- Why is it so hard for me to justify my budget requests to financial leadership?
- Why is it so hard to convince anyone of the priorities I set?
- How can I communicate the importance/risk of not reaching compliance our requirements?
- How can I prioritize the risks presented by us constantly integrating new companies and their technologies into the organization?
In this blog, I’ll break down exactly what is happening behind the scenes with cybersecurity healthcare professionals and how we are helping quell the anxiety of moving healthcare cybersecurity program towards a more risk-based approach.
Everyone wins when there is less drama, confusion, and debate around communicating the importance around cybersecurity investments and getting the budget you need.
The inherent complexity of cyber is the root of all executive confusion
The simple explanation is that security has always been (and will always be) an inherently technical topic that has recently become important to senior leadership, who are typically more versed in financial terms and trends than in technical ones. This combined with an explosion of data and metrics with no meaning from the myriad of security products all companies have has led to a perfect storm of having so much data that means very little to the decision makers of your organization.
Cyber data you possess is useless to others without the right business context
As security practitioners we see the world in terms of threats, vulnerabilities and tactics that attackers may use against us, but without any business context provided to these, they are just simply raw data points with no context. What we need is the ability to transform these data points into a language that business leaders understand so that they can evaluate any of the questions above (and more) in a context that they’re comfortable operating in.
You must think about aligning cybersecurity priorities with the greater business mission
This is hard enough for any organization, but for folks who work in healthcare this problem is exacerbated by operational changes that are constantly adding new and exciting tech and the amount of M&A activity that goes on in the space. Dealing with these challenges can be overwhelming for anyone, but having to conduct this kind of analysis for every new company that is acquired (and their legacy tech stack) becomes insurmountable. This becomes a combinatory problem where you’re trying to compare apples to orangutangs across different companies, systems and threats. Without understanding what the risk could cost you, this becomes impossible.
So what does a risk-based approach to healthcare cybersecurity look like?
Let’s examine how James Case, the CISO of Baptist Health is thinking about it. We recently hosted a webinar with him, and I’d highly recommend you check it out!
Tip 1: Threat scenarios- know the key ones cold
According to James Case, A risk-based approach to healthcare cybersecurity begins with understanding the key threats facing an organization. For Baptist Health, this means focusing on high-impact risks like ransomware, data breaches, and supply chain disruptions that can directly impact patient care
Tip 2: Quantifying risks in dollars and cents
The next step is quantifying these risks to determine their potential financial and operational impacts. CISO James Case uses risk quantification to illustrate cybersecurity issues for leadership in monetary terms and to prioritize mitigation efforts.
Tip 3: Continuous learning to stay on your A-game
Winning cybersecurity budget battles also involves continuous assessment and learning. As technologies evolve and mergers alter systems, new risks can emerge. Case advocates reviewing defenses following industry incidents to strengthen protections proactively. Ongoing evaluation and scenario planning helps identify interdependencies and single points of failure. You can’t make the case without being the most cyber educated person in the room!
Tip 4: Don’t be a cyber island, get other business units involved
A risk-based lens further means partnering across business units through a steering committee. This allows clinical, legal, and financial perspectives to weigh in on priorities based on their operational needs alongside technical safeguards.
Tip 5: Practice communicating cyber risk as a story
Communicating progress transparently is also key. Case shares the cybersecurity risk reduction journey with the Board through a storytelling approach. By outlining past risks and improvements made, leadership understands how the program is maturing over time. This strategic, collaborative method aims to navigate challenges through informed decision-making focused on the risks that most directly impact patient safety and the overall mission.
Take the next step in your healthcare cybersecurity journey
As the healthcare landscape continues transforming, taking a strategic view of the cyber threats most vital to patient safety and operations will remain paramount. With care, diligence and partnership across both technical and business domains, the promise of innovation need not be thwarted by the perils of being misunderstood and not being able to secure the necessary budget. If you want to be the best cybersecurity communicator in the room, let us show you how! We’d be happy to give you a tour of the Axio360 platform, designed to help you quantify your cyber risks and get the cybersecurity budget you need.