Tech resilience for healthcare providers

Cyberattacks targeting the healthcare sector have been increasing. Global ransomware occurrences have consistently risen each year and nearly doubled in 2023 compared to 2022. In the United States, assaults surged by 128 percent during that period. The disruptions caused by these attacks can lead to significant, enduring impacts on healthcare systems and patients.

Worldwide, healthcare provider organizations face the greatest expenses due to data breaches of all industries, averaging $9.8 million for each incident—over 1.5 times the financial-services sector’s $6.1 million, as per IBM’s Cost of a Data Breach Report 2024. Beyond monetary losses, cyberattacks may also hinder patient care. In 2023, 12 percent of healthcare organizations surveyed that encountered a cyberattack via email indicated a rise in mortality, a decrease from 21 percent in 2022. Additionally, 71 percent indicated unsatisfactory patient outcomes due to delays in tests and procedures, up from 60 percent the previous year.3

In addition to cyberattacks, outages may also arise from different causes, including technological malfunctions and natural events. Utility firms are beginning to proactively shut off power to avert wildfires in regions anticipated to experience extreme weather, which can hinder operations, especially at businesses reliant on outdated, uninterruptible power systems. Furthermore, a long-standing lack of investment in modernizing IT applications has made provider organizations vulnerable to technology failures. No matter their origin, outages jeopardize providers’ primary goal—delivering high-quality care—with effects that include postponed essential procedures and tests, extended hospital stays, complications from interventions, and rising mortality rates.

Technological resilience is therefore essential not only for business continuity but also to guarantee seamless patient care. Tech resilience includes the ability to oversee, avert, identify, and rebound from interruptions.

The increasing severity, complexity, and frequency of outages is at risk of surpassing the cybersecurity and resilience investments of healthcare organizations. In 2023, healthcare entities allocated approximately 7 percent of their IT budgets to cybersecurity, based on an analysis by McKinsey. In a survey conducted in 2023, 47 percent of participants indicated they lack sufficient funds for a robust cybersecurity plan.

With insufficient investment, numerous providers’ software, firmware, and hardware may become incompatible, unreliable, inadequate, or outdated. For instance, insufficient ongoing maintenance or investment in upgrading power backup systems for data centers can lead to a disastrous inability to recover. Additionally, insufficient geographical and physical alignment of data centers, occasionally due to mergers and acquisitions of healthcare systems, can create obstacles for organizations in modernizing, maintaining, and safeguarding technology assets and infrastructure. These elements heighten an organization’s susceptibility to external risks.

A major interruption to essential healthcare operations that depend significantly on support computing features like imaging or remote patient monitoring creates a difficult scenario for contingency planning. It is very improbable that specialized personnel can be expanded quickly enough to manage the usual volume associated with computing, leading to immediate backlogs and delays. These impacts extend across the healthcare ecosystem and can swiftly influence crucial care choices that rely on that information.

Provider organizations often rely on vendors and intermediaries for vital data and processes, including EHRs, health information exchanges, and electronic data interchange (EDI) transactions. This dependence implies that even organizations with robust technological systems and operational practices are vulnerable if their suppliers are breached. In 2023, 12 percent of data breaches in various sectors resulted from attacks on third-party software vendors, which typically take longer to detect and resolve, and generally incur higher costs compared to direct attacks.

Tech outages caused by cyberattacks have become a significant worry for healthcare organizations. In a survey conducted among healthcare cybersecurity experts, most participants (58.5 percent) indicated that email phishing was the initial trigger for their organization’s most critical security breach, succeeded by spear phishing (31.4 percent) and SMS phishing (28.82 percent). Moreover, AI can present new dangers and escalate pre-existing threats. Large language models (LLMs)—which can effortlessly create text, audio, images, and various content—can improve malicious individuals’ capacity to mimic authorized personnel across email, voice simulation, or alternative platforms. This progress has rendered phishing tactics (such as email, spear, or SMS) more believable, with a significant rise in harmful emails since the public debut of generative AI tools. Additionally, the translation capabilities of LLMs enhance the potential for worldwide phishing operations.

To achieve IT resilience, organizations should consider the entire patient journey and clinician workflow, not just individual parts like applications or infrastructure. For example, in emergency department triage, EHRs should be resilient, but other parts like identity access management systems can cause disruptions. Identifying components, including vendor systems, that will have the greatest negative impact on patient care is crucial. IT department investments should be prioritized based on risk exposure or importance for patient care and business. Organizations should group workflows into four tiers: mission critical, business critical, operational, and administrative. Resilience levels should be determined for each tier, and remediation should be prioritized.

Provider organizations need to update operational processes like incident management, change management, and vendor management regularly to prevent potential incidents and reduce response time. By streamlining and automating these processes, organizations can reduce response time by up to 60 minutes and hold vendors accountable for preventing future incidents. This can help identify high-risk changes for review. Organizations should focus on bolstering their IT operations and utilizing advanced analytical capabilities, such as AI, to predict and prevent future failures. They should also invest in site reliability engineering to automate incident identification and self-healing. Regular end-to-end testing of resilience, including third-party systems, is essential. As cyberthreats increase and concerns about natural disasters grow, provider organizations must prioritize business continuity and consistently test and build capabilities through simulations and disaster recovery drills.