'Warfare mindset' key to justifying cybersecurity investment, experts say

"If we in healthcare don't start treating this as a war on our physical and financial well-being, we will lose." That's the bottom line when it comes to convincing hospital and health system leaders that investments in cybersecurity are worth it, according to Mary Chaput, CFO of cybersecurity firm Clearwater Compliance.

Chaput and Cliff Kittle, principle healthcare information security expert at SecureWorks, are making their case in a new white paper entitled "Justifying Cybersecurity Investment with a Warfare Mindset."

It's no secret that the healthcare industry has taken a severe beating in the last two years, suffering numerous damaging cyber attacks largely thanks to ransomware, a seemingly simplistic method that has wreaked havoc on hospitals, practices, and payers alike. It has caused the compromise of millions of pieces of private patient information and the shutdown of health systems. Meanwhile, according to Chaput and Kittle, ransomware code is easy to come by, available on the dark net for as little as $39.

[Also: Healthcare data attacks fall, but cybercriminals have new target in unstructured data]

Between the cascade of data breaches, the scarily simplistic nature of the attacks, and expert after expert professing the probability that things are going to get worse, it would seem a foregone conclusion that convincing execs to invest in cybersecurity would be easy. It's not.

Hospital finances are strained and complicated, and Chaput and Kittle said the usual standard by which investments are judged does not lend itself favorably to cybersecurity. Most healthcare organizations tout a mission for quality and improved patient outcomes, and therefore ROI must perceived as directly causational to achieving it. For many leaders, investing in information security may not seem directly tied to patient outcomes, and is therefore often stepped over for other investment options with a more obvious connection.

To justify cybersecurity investments a new mindset and approach are needed, Chaput and Kittle said.

"Until now, the return-on-investment focused on the reduction of fines and legal fees; a valid argument, but now patient safety and reputational damage are in the calculation. No longer focused just on the confidentiality of patient data, potential compromise now includes the modification and unavailability of that data, putting at risk the appropriate and timely medical care for the patient."

[Also: Health data breaches in March surpassed January and February combined, study finds]

So if there is to be justification for investments to prevent, or at least mitigate such events, a warfare mindset that makes investments a key strategy to protecting patients, their information, and their outcomes could be the battle that helps win the war on hackers.

When preparing the plan on selling these investments, Chaput and Kittle write that those at the helm must develop a justification for funding that boasts a comprehensive framework that explains the challenges a system faces, like ransomware, traditional malware hacking and medical device hacking as well as any other issues already known. A periodic risk analysis and risk response can help inform this framework, as well as knowledge of the system's current strength and weaknesses, the authors said.

Justifying the return on cybersecurity investment can also be helped by emphasizing data that shows the financial impact of a breach, and then drawing a comparison between those figures and what security investments might cost.

Chaput and Kittle cited a study by the Ponemon Institute showing that the average cost of a data breach is $402 per record, and as such a breach of 10,000 records would cost an organization, on average, $4,020,000. Many breaches seen in 2016 involved that many records, and more.

"Once the cost of a data breach has been calculated specifically for your organization compared to the cost of the controls you are recommending, the leadership team will start to see the wisdom of the investment," Chaput and Kittle said.

Healthcare executives should also calculate the damage done on several other levels, and how those financial hits compare to the cost of investing in information security and protecting patient data from the enemy.

[Also: Breaking down the financial toll of healthcare data breaches]

First, reputational damage due to compromised patient information can be substantial and long-term, as patients may decline to use your practice or hospital, and staff might leave. Recruiting talent can also be made more difficult.

The resources needed to deal with a breach can be astronomical, from remediation, mitigation, and legal costs all the way to getting socked with HIPAA and OCR fines. Operational difficulties are not to be overlooked either, with a study by Experian showing that 50 percent of IT pros said loss of productivity was the worst part of their breach, the authors wrote.

Finally, clinical repercussions are directly tied to patient care and quality, and can include processing of fraudulent claims, compromise in the integrity of the patient's health information resulting in delayed or inaccurate diagnosis or treatment, and contaminated clinical trials, the authors said.

"One thing is for sure, the cost to the organization of a data breach will be much more than the cost of the new controls, training and support staff that should be implemented to mitigate the risk." 

Twitter: @BethJSanborn