The Urgent Need For Cyber Resilience in Health Care

German version:

A US hospital closed two years after a ransomware incident, highlighting that the health sector continues to be under threat.

What is the situation in Germany, DACH, and EMEA?

Let’s take a closer look at the ENISA Threat Landscape: Health Sector and the IBM Cost of a Data Breach Report 2023.

Healthcare also tops the IBM cost of a data breach report for 12 consecutive years with USD 10.93M per breach in 2023.

The DACH region continues to be under threat. Specifically Germany, with ransomware attacks on organizations in the health sector increasing from a total of six in 2022 to four in Q1 2023.

Hospitals are particularly affected, and ransomware is the prime threat in the sector (54% of all reported attacks). The main threat actors are cybercriminals hitting targets for financial gain by going after patient records and other sensitive data.

The health sector is a highly regulated sector. That means the cost of a data breach significantly increases 12 months after the breach, with analyzing and remediating taking time as well as litigation kicking in. The long-term costs are significant.

This is particularly worrying as the health sector will not be able to pass on costs to customers, as is common practice in other sectors. This means institutions will suffer long term, lacking the ability to invest in new protection and in improving processes.

Yet, there is much that can be done to alleviate the situation. ENISA highlights that 95% of organizations must overcome challenges in conducting risk assessments, while 46% have never conducted a risk analysis.

IBM highlights that detection and escalation are particularly costly, a worrying thought given the lack of proper risk assessment. With only 27% of organizations having a dedicated ransomware defense program and 40% lacking security awareness programs for non-IT staff, action is urgently needed.

The sector must prepare for the future

Organizations can no longer afford not to have a defense program and not to train their employees, especially not when the NIS2 directive will hold top management accountable for the security of their organization.

A comprehensive security assessment is also urgently required as attacks on the supply chain (targeting hardware and software). Vulnerabilities in software are frequently the root causes of attacks. With the integration of OT and IT in health care, this must not be underestimated.

Organizations in the sector often also struggle to adopt new technologies that offer automation because of stringent regulatory requirements. Legacy IT and shadow IT are resulting challenges. This means organizations are unlikely to benefit from cost savings through automation the IBM report highlights.

Time is of the essence when detecting and remediating attacks. Effects on patient care become more common as ENISA highlights. Emergency departments are shut and surgical operations are suspended. Time-critical therapies are delayed. Patients might be diverted to other hospitals. Recent reports also highlight cyber incidents in suppliers affecting organizations.

Instilling a security culture for better preparedness

Reports indicate that organizations with better security cultures detect, remediate, and recover more quickly from cyberattacks. They save money by training their employees to react appropriately and quickly.

A competent workforce equipped with the right tools and knowledge as well as driven by a security mindset and a shared sense of responsibility is a sign of a great security culture. Active participation is the evidence and result.

Successful organizations appreciate the value of security awareness training for improving security culture, and they follow strategic approaches to build sustainable programs to shape their culture.

To top