Pramote Lertnitivanit/istock via
KLAS: Cybersecurity must be a business imperative for healthcare
Viewing cybersecurity as a business imperative can help organizations secure stakeholder buy-in and enhance cyber resilience, researchers suggest.
More than 70% of surveyed healthcare executives reported financial, clinical or operational disruptions due to cyber threats in the past year, a new report published by EY and KLAS Research revealed. As cyberattacks continue to threaten patient care, healthcare organizations are increasingly treating cybersecurity as a top organizational priority that drives value and improves outcomes.
EY and KLAS surveyed 100 healthcare executives responsible for cybersecurity decisions, largely from provider and payer organizations. The research was also informed by an executive forum hosted by EY and KLAS, in which experts shared their thoughts on cyber resilience.
"Cyber needs to be a shared responsibility across the organization and the health ecosystem," the report stated.
"In a time of tight budgets, cutting cyber investments can leave health organizations more vulnerable and ultimately lead to higher costs. Health executives must pivot from viewing cyber as a cost center to a strategic enabler of the business."
Escalating risk drives cybersecurity prioritization
The fallout from a healthcare cyberattack can be detrimental to a healthcare organization's operations, reputation and bottom line, with 72% of respondents reporting moderate to severe financial impact to their organization in the last 24 months.
In the last year, phishing has remained the top threat to healthcare organizations, according to the respondents. Phishing was followed by third-party breaches, malware, data breaches, ransomware and business email compromise.
In the coming year, healthcare executives are anticipating increased investments in identity and access management, vulnerability management and security software managed services -- three areas that have seen increased risk in recent years.
The results showed that cybersecurity professionals have long understood the importance of reducing cyber risk. However, they are now becoming more comfortable with advocating for additional funds and championing cybersecurity best practices.
More than 80% of survey respondents stated that prioritizing cybersecurity in their business strategy is effective for overcoming challenges, and 65% of executives reported feeling empowered to make decisions regarding the allocation of funds to cybersecurity initiatives.
Barriers to cyber resilience persist
Even as the cyber threat landscape's volatility drives increased prioritization of cybersecurity within healthcare organizations, challenges remain.
Nearly two-thirds of respondents said that competing organizational priorities or tight budgets were barriers to achieving their cybersecurity goals.
Moreover, even organizations with increased funds and resources dedicated to cybersecurity continue to experience cyber events.
"This disconnect -- where authority exists but outcomes lag -- highlights a resilience gap," the report stated.
"While cyber executives say leadership support has improved, additional resources and backing are needed. Leaders said the challenge isn’t getting approval, but sustaining commitment when budgets tighten or priorities shift."
Third-party risk, workforce shortages and AI-driven threats have all contributed to the ongoing cybersecurity challenges faced by healthcare organizations nationwide. Respondents report struggling to balance innovation with the adoption of cybersecurity requirements.
The key, respondents and researchers say, is to frame cybersecurity as a business imperative rather than a set of technical and administrative safeguards that need to be applied to achieve compliance.
"By tying cyber to the success of other business needs -- in this case geographic expansion or smart care models -- healthcare executives can shift the narrative around cybersecurity from a compliance obligation to a value creator," the report noted.
"Cyber creates value by preserving the ability to deliver safe, efficient and trusted care. A new storyline that speaks to cybersecurity’s potential to help the organization transform may be more successful in securing buy-in and investment from stakeholders."
Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.
