Cyberattacks have increasingly become a significant threat in the healthcare industry, compromising vital operations and jeopardizing patient data. In May, Ascension, a prominent health care provider with a national presence, suffered a debilitating cyberattack that paralyzed its clinical operations for almost a month. Investigators traced the breach to ransomware infecting an employee’s computer, underscoring the healthcare sector’s vulnerability. This incident highlights a critical issue: healthcare organizations represent tempting targets for cybercriminals, given the wealth of personal, financial, and healthcare information they manage.
Cybersecurity risks in healthcare are escalating. A recent survey demonstrated that a staggering 88% of healthcare IT professionals had reported an average of 40 cyber incidents within their organizations over the previous year. This trend can be traced back to the burgeoning complexity of IT systems that many healthcare providers grapple with. Hüseyin Tanriverdi, an associate professor at Texas McCombs, highlights this complexity as a byproduct of decades of mergers and acquisitions that have led to the formation of extensive multihospital systems.
The ramifications of this complexity are far-reaching. Healthcare organizations often do not standardize their technological framework or care methodologies following a merger. As a result, disparate IT systems, varied care processes, and differing governance structures coalesce into a chaotic mass, posing a myriad of challenges for cybersecurity.
Tanriverdi, alongside co-authors Juhee Kwon and Ghiyoung Im, advanced this dialogue by distinguishing between “complicatedness” and “complexity” in IT systems. Complicatedness refers to systematic architectures with structured interconnections facilitating the prediction and control of processes. Conversely, complexity stems from vast numbers of elements that connect in more chaotic and unstructured manners, akin to the haphazard integrations following mergers.
This distinction is crucial when assessing healthcare systems. Tanriverdi’s research revealed that as these systems become more complex, their susceptibility to cyber breaches increases substantially. Notably, the most complex systems were found to be 29% more likely to suffer a breach, primarily because intricate systems offer more access points for cyber attacks and create additional potential for human error in security protocols.
Tanriverdi’s study identified multiple facets contributing to healthcare’s cybersecurity vulnerabilities. These include diverse medical services managing sensitive health data and a decentralized approach to strategic decision-making, where individual hospitals operate autonomously rather than under a unified corporate strategy. This lack of cohesive governance results in a fragmented security landscape, making it increasingly easier for malicious actors to exploit the system.
To combat these vulnerabilities, the researchers posited a transformative approach involving the establishment of enterprise-wide data governance platforms. These centralized systems can normalize disparate data types, streamline data sharing, and standardize security protocols. This approach has the capacity to convert complex and unstructured systems into more manageable, complicated ones—essentially creating a more predictable environment for IT security.
Tanriverdi’s examination of data from 445 multihospital groups from 2009 to 2017 indicates that implementing centralized data governance could reduce cybersecurity breaches by as much as 47% in the most complicated systems. By minimizing potential access points and fortifying cybersecurity measures, organizations can substantially reduce the risk of unauthorized access to sensitive patient data.
Additionally, Tanriverdi suggests that the solution should not solely encompass advanced technological measures; it also necessitates an emphasis on human elements in cybersecurity. Therefore, training programs for employees on cybersecurity best practices and stringent access controls are paramount.
However, it remains essential to recognize the complexities introduced by integrating new technologies. While it may seem counterintuitive to inject more complexity into an already intricate environment, Tanriverdi argues that this “good form of complexity” could ultimately mitigate the far more hazardous types currently pervasive in the landscape.
As the healthcare industry continues to navigate the murky waters of cyber threats, a reevaluation of existing security paradigms is crucial. By embracing a structured approach to IT complexity that enhances data governance, healthcare providers can better safeguard themselves against the persistent menace of cybercriminals. By investing in robust governance frameworks and prioritizing human cybersecurity practices, the healthcare sector stands a better chance of protecting its vital data and, by extension, the patients who depend on it.