The U.S. Healthcare industry is still reeling from the Change Healthcare ransomware attack that crippled operations for the UnitedHealth Group subsidiary back in February and prevented thousands of provider groups and systems from processing claims or transmitting payments for several weeks after the fact. The Change Healthcare attack comes on the heels of 2023 being the worst year on record for healthcare data breaches. It is no wonder why cybersecurity infrastructure was a major industry focal point during HIMSS’ global healthcare conference held in Las Vegas in March. And yet, in a September IANS Research report, researchers found that the only industry in the U.S. that spends a smaller share of its IT budget on cybersecurity than Healthcare (8.1%) was the retail industry (7.2%). Why is that?
Financial Headwinds Impacting Hospital Decision-Making
2023 was a brutal year financially for healthcare organizations, as sky high labor costs pushed median hospital operating margins to an anemic 1.2%, per consultancy Kaufman Hall. This operating margin crunch put significant downward pressure on hospitals and healthcare systems to cut costs, which led to some hospitals taking fairly draconian measures such as outsourcing entire enterprise IT teams. And while early indications are that 2024 will be a better fiscal year for hospitals than 2023, most hospitals are running on razor thin margins at the moment.
The challenge with demonstrating an ROI from cybersecurity solutions is that most of the value is measured in savings from avoided data breaches (i.e. it’s about preventing a “stick” rather than producing a “carrot”). It is much easier for hospital executives to justify a sizable contract with a digital health vendor that has a history of proven operational savings or growth in revenues. This carrot vs stick incentive structure dynamic with vended cybersecurity solutions is likely a key factor as to why hospitals currently spend so little on it relative to other areas of digital health investment.
Healthcare IOT Security is Critical to a Robust Cybersecurity Infrastructure
Healthcare IoT security solutions play a critical role in safeguarding hospitals and health systems against the evolving landscape of cyber threats targeting interconnected medical devices and networks. With the total volume of IoT devices expected to reach more than 18 billion by 2030, the attack surface for healthcare systems has expanded significantly beyond just a network and connected IT equipment. Leading Iot security vendors also monitor and protect against data breaches on IoMT assets (e.g. medical devices, clinical monitors), connected IOT devices (e.g. patient wearables or fitness devices), networked building systems (e.g. HVAC, power systems, lighting control), as well as any and all network communication happening between them.
The Ponemon Institute, a think tank “dedicated to independent research and education that advances the responsible use of information and privacy management practices within business and government,” estimates that the average cost of a healthcare data breach in 2023 was $10.93 million (a 53% increase since 2020). For the 13th year in a row, healthcare was the most expensive industry for data breaches in their analysis. Another data report suggests that the average organizational downtime caused by healthcare data breaches downtime reached nearly 19 days in 2023.
Moreover, a recent Ponemon Institute report indicates that approximately 40% of healthcare system’ connected enterprise devices are currently unmanaged – meaning they are not actively monitored or protected by IT or cybersecurity systems. Data from Cynerio, a cybersecurity developer, estimates that 56% of US hospitals had their IoT/IoMT devices attacked during 2021 or 2022. The number of healthcare data breaches has increased every year since 2009, which means hospitals and healthcare systems should be meaningfully increasing their investment in cybersecurity infrastructure accordingly.
A large 2022 poll of healthcare IT or security leaders found that 89% of the surveyed organizations experienced an average of 43 cyber-attacks over the previous year – averaging nearly one attack per week.
The market is already showing signs of this happening. Salient highlights include:
- Approximately half of U.S. health systems increased their cybersecurity budgets from 2021-2022 (52%) and from 2022-2023 (47%)
- A 2024 survey of health system executives (N=144) cited cybersecurity infrastructure as the top priority (55%) for 2024 digital and/or IT investments
- Available industry reports suggest a compound annual growth rate (CAGR) for the healthcare IoT security solutions market of around 20% for the next decade
We’ve reached a tipping point where healthcare organizations can no longer afford to underprioritize their cybersecurity infrastructure – and early indications are that IoT security is a particular area of vulnerability for healthcare organizations. Case-in-point: A 2023 Moody’s report referred to the healthcare industry as “cyber poor” and that health systems will need to significantly increase their cybersecurity investments to protect patient data and ensure continuity of operations. To learn more about joining the Panda Health community and the latest in healthcare IoT security, click here.