Five Strategies to Mitigate Cyber Risks
By Marlene Icenhower, BSN, JD, CPHRM, and Matthew Bertke, CPA, MBA
Cyber disruptions of any kind can cause devastating ripple effects throughout healthcare organizations. Sometimes issues are apparent, such as when ransomware immobilizes entire systems. Other cyber events are harder to detect; for instance, when “connected” technologies like MRI machines or CT scanners become compromised.
Unfortunately, hacking incidents and ransomware attacks against U.S. healthcare organizations are still on the rise. Cyberattacks increased by 128% from 2022 to 2023 alone.
Since hospitals and health systems can’t simply stop caring for patients while they address cyber concerns, proactive risk mitigation is critical. At the same time, however, they face genuine constraints. For example, do healthcare organizations have sufficient budgets to add or maintain adequate cybersecurity controls? Alleviating cyber risk in healthcare requires a careful balancing act.
As regulatory bodies discuss what minimum cybersecurity requirements should be implemented, there are many actions hospitals and health systems can take to reduce exposure and limit liability proactively. Here are five of them:
1. Conduct a risk assessment
The first step toward a solid cyber risk mitigation strategy is to perform a risk assessment. The assessment should aim to understand software and system vulnerabilities, as well as weaknesses against exploitative practices like phishing schemes.
Consider leveraging free risk assessment tools such as the Stop Ransomware Guide available through the U.S. Cybersecurity & Infrastructure Security Agency (CISA). Rural hospitals and health systems may want to tap into free or low-cost services offered by Microsoft and Google. Check with your liability insurance carriers, too, to take advantage of their sample cyber policies and protocols.
Although pinpointing every vulnerability is impossible, healthcare organizations can take the same approach to cyber risk as to workplace violence risk. Consider that the risk factors included in workplace violence prevention plans differ among organizations. These variations depend on factors such as the type of organization, the services offered, the facility’s location and size, etc. Similarly, cyber risk assessments should also take into account the vulnerabilities specific to each organization, knowing that they will vary from organization to organization.
2. Create a cyber incident response plan
No cyber defense strategy is foolproof. Therefore, risk mitigation also entails an organizationwide cyber incident response plan. A response plan is designed to add another layer of preparedness should an attack occur. The plan should be updated regularly as the organization changes and new cyber threats emerge.
Make no mistake: Creating a cyber incident response plan is challenging. It must be multifaceted because, unlike other contingency plans (e.g., a natural disaster plan), it depends highly on the type of cyber incident being addressed. Still, the vulnerabilities identified in the risk assessment should serve as the foundation for the cyber response plan.
The plan should clearly document roles and responsibilities for responding before, during, and immediately after a cyberattack. The goal is for each person in the organization to know exactly what they need to do and how to do it. It should also outline what strategies to use to isolate from any vendors or business partners who suffer a cyberattack. Be sure the response plan is both targeted and specific, customized to the areas of vulnerability identified by the risk assessment.
In addition, the plan should note how and when to engage external partners. For example, a hospital hit with a ransom demand should contact its liability insurance carrier before deciding whether to pay the ransom. Insurance companies often have useful analytics about various bad cyber actors. They can help assess the likelihood of whether making the ransom payment to the bad actor will be futile or beneficial.
Report incidents to the local Federal Bureau of Investigation (FBI) office as well, to help thwart future attacks.
3. Manage cyber exposure
Healthcare organizations of all sizes are possible targets for cyberattacks. Small organizations—especially those in rural communities—might even feel the clinical and financial impacts more acutely.
Interestingly, cyber breaches in healthcare are not usually the result of clinical encounters. Instead, organizations tend to be exposed by their administrative and financial functions. Moreover, while technology can certainly have weaknesses, the weakest link in cybersecurity efforts is often the human element. People can easily fall prey to phishing attempts and other schemes perpetrated by bad actors.
That is why periodic training is a key mitigation strategy. IT departments should consider conducting phishing simulations and drills regularly to ensure cybersecurity remains top of mind for all employees. In fact, security training should be developed in response to each identified risk area. Staff in higher-risk departments—perhaps those with access to organizational funds, for instance—should receive different, more targeted types of training. Access to quality resources and expert guidance can empower healthcare organizations to not only recover from cyber incidents but also determine how to invest in their cyber defenses in the first place.
4. Optimize data security
Of course, maintaining solid data hygiene practices is another essential part of cybersecurity. In collaboration with the IT department, regular software updates—including antivirus software and security updates to operating systems—are crucial. IT departments should require multi-factor authentication (MFA) and encrypt data on the back end.
Combine those efforts with specific plans for backing up data from every system necessary to keep the organization operating. Clearly denote who oversees data backups, who should perform them, and where the backup data should be stored. Offer plain, unambiguous instructions, such as, “Back up [specific system] data once per week using the [name of approach] method.”
5. Review liability coverage
Even as healthcare organizations build a “cyber fortress” on the front end, they should likewise consider their back-end strategy. Before a cyberattack, they should understand the organization’s liability insurance policies and how they work.
Cyber policies differ from general liability policies or medical professional liability (MPL) policies as they can contain many insuring agreements. Specific expertise is necessary to understand what to look for in liability coverage, how to evaluate limits, and when to consider supplements. The appetite for policy coverages and limits is based on the risk assessment and the perceived strength of the organization’s cyber defenses.
Mitigate cyber risk to safeguard care
Hospitals and health systems cannot shut down operations and leave their communities without care. Therefore, proactively mitigating cyber risks is not merely a technological necessity but a critical component of patient safety and resilience.
By conducting thorough risk assessments, developing comprehensive incident response plans, managing cyber exposure through continuous training, optimizing data security, and reviewing liability coverage, healthcare organizations can better shield themselves from the ever-evolving landscape of cyber threats. These strategies can help healthcare organizations to continue delivering essential services without compromising patient care or data integrity.
Marlene Icenhower, BSN, JD, CPHRM, is a Senior Risk Management Specialist at Coverys with more than 30 years of combined medical-legal experience in a variety of settings. She can be reached at micenhower@coverys.com. Matthew Bertke, CPA, MBA, is the Reinsured Programs Product Manager at Coverys. He has been leading Coverys’ Cyber Liability product offering for more than 10 years including oversight of its Underwriting, Claims, Reinsurance, and Risk Management functions. He can be reached at mbertke@coverys.com.