Although
most
healthcare
organizations
are
strengthening
their
cybersecurity
efforts,
serious
vulnerabilities
still
persist,
according
to
research
released
this
week
by
Fortified
Health
Security,
a
healthcare
cybersecurity
vendor.
Healthcare
providers
have
made
significant
strides
over
the
past
five
years,
especially
when
it
comes
to
governance,
response
planning
and
risk
assessments,
pointed
out
Fortified
CEO
Dan
Dodson.
This
progress
was
spurred
by
major
data
breaches
and
increased
regulatory
attention,
which
have
pushed
boards
and
executives
to
take
cybersecurity
more
seriously,
he
said.
“They
realize
they
must
truly
be
prepared
for
the
worst
and
have
a
response
plan
integrated
into
their
business
continuity
plans,”
Dodson
stated.
“However,
with
this
progress,
it
is
also
important
to
acknowledge
that
our
adversaries
are
continually
evolving
their
attack
methods;
therefore,
we
must
continue
to
advance
our
cybersecurity
initiatives.”
For
instance,
most
providers
have
beefed
up
their
efforts
related
to
cybersecurity
risk
analysis,
but
that’s
not
enough
—
they
need
to
make
sure
they
act
on
what
they
find
in
those
assessments,
he
noted.
In
other
words,
it
needs
to
be
more
than
just
a
check-the-box
exercise.
In
most
cases,
providers’
security
gaps
exist
because
they
invested
in
advanced
tools
before
they
became
confident
in
the
basics
like
patching,
password
policies
and
access
controls,
Dodson
added.
Overall,
he
thinks
three
main
cybersecurity
challenges
stand
out
for
healthcare
providers.
The
first
is
AI.
Providers
are
eager
to
adopt
AI
tools,
but
they
often
lack
clear
governance
frameworks
to
effectively
manage
this
technology
and
its
data
exposure
risks,
Dodson
said.
“At
the
same
time,
the
bad
guys
are
already
using
AI
to
alter
their
attacks
on
healthcare,”
he
remarked.
Third
party
risk
management
is
also
a
key
area
on
which
providers
need
to
focus,
as
they
typically
rely
on
hundreds
of
service
and
technology
providers.
This
network
of
partners
is
essential,
but
it
also
creates
a
lot
of
risks.
A
weakness
in
one
vendor’s
system
can
compromise
an
entire
health
system,
and
providers
are
still
figuring
out
how
to
mitigate
this
threat,
Dodson
declared.
The
last
ongoing
cybersecurity
challenge
for
providers
is
simply
lack
of
adequate
funds.
“Some
healthcare
providers
understand
the
cybersecurity
fundamentals
but
still
struggle
to
get
the
appropriate
budget
to
manage
this
risk
effectively,”
Dodson
explained.
“Cybersecurity
competes
with
many
other
priorities,
and
some
organizations,
especially
smaller
or
rural
providers,
are
forced
to
make
complex
tradeoffs.
That
leaves
them
more
exposed,
even
when
they
have
the
right
intentions.”
Moving
forward,
Dodson
said
the
industry
doesn’t
have
time
to
wait
for
regulatory
clarity.
In
his
eyes,
progress
doesn’t
happen
by
playing
it
safe.
He
noted
that
the
most
resilient
organizations
are
those
that
decisively
pick
a
cybersecurity
framework,
like
HITRUST
or
NIST
and
quickly
begin
executing
it.
“Stop
waiting,
because
there
will
never
be
a
perfect
moment
or
situation
to
start.
It
has
to
start
now,”
Dodson
stated.
Photo:
boonchai
wedmakawand,
Getty
Images