Although most healthcare institutions are strengthening their cybersecurity efforts, serious vulnerability remains, according to research released by healthcare cybersecurity provider Fotifiend Health Security.
Healthcare providers have made great strides over the past five years, noting strengthened CEO Dan Dodson, especially in governance, response planning and risk assessment. He said the progress was stimulated by major data breaches and increased regulation, which has made boards and executives pay more attention to cybersecurity.
“They realize that they have to be really prepared for the worst and incorporate response plans into their business continuity plans,” Dodson said. “However, with this advancement, it is also necessary to acknowledge that our opponents are constantly evolving their attack methods; therefore, we must continue to advance our cybersecurity plans.”
For example, most providers have stepped up efforts related to cybersecurity risk analysis, but that is not enough – they need to make sure they act on the findings in these assessments. In other words, it is more than just a framework exercise.
Dodson added that in most cases, the security gap for providers exists because they invest in advanced tools before they are confident in basics such as patching, password policies and access controls.
Overall, he believes three major cybersecurity challenges stand out among healthcare providers.
The first is AI. Dodson said providers are eager to adopt AI tools, but they often lack a clear governance framework to effectively manage the technology and its data exposure risks.
“At the same time, bad guys are already using AI to change their attacks on healthcare,” he said.
Third-party risk management is also a key area for providers to focus on, as they usually rely on hundreds of service and technology providers.
This network of partners is crucial, but it also brings a lot of risks. Dodson claims that the weakness of a supplier system can harm the entire health system, and providers are still figuring out how to mitigate the threat.
For providers, the last ongoing cybersecurity challenge simply lacks sufficient funding.
“Some healthcare providers understand the basics of cybersecurity, but are still working to get the right budget to effectively manage this risk,” Dodson explained. “Cybersecurity competes with many other priorities, and some organizations, especially smaller or rural providers, are forced to make complex trade-offs. This makes them even more exposed, even if they have the right intentions.”
Moving forward, Dodson said the industry has no time to wait for regulatory clarity. In his eyes, there is no progress through safely.
He noted that the most resilient organizations are those that decisively choose the cybersecurity framework, such as hittrust or nist, and quickly start executing it.
“Stop waiting because there will never be a perfect moment or situation to start. It has to start now,” Dodson said.
Photo: Boonchai Wedmakawand, Getty Images
