Health Leaders: Greater Collaboration Can Help Prevent Future Cyberattacks

Introduction

MetricStream’s CEO and Co-Founder, Gaurav Kapoor, shared his insights on Health Care Business Today explaining the need for healthcare leaders to prioritize cybersecurity and collaboration to protect patient data.

This was initially published by Health Care Business Today and to read the full article, click here.

With lives on the line, data breach and risk events in healthcare are especially critical.

2024 marked the largest ever healthcare data breach in the U.S. and over 300 additional breaches have been reported within the industry.

Despite being one of the most heavily regulated sectors, the healthcare industry continues to be one of the biggest targets for cyber criminals and hackers. What’s more concerning: their skills will only continue to get better.

Healthcare leaders are advised to continue to focus on cybersecurity in 2025 and push for industry-wide collaboration to address the ongoing threat of cyberattacks. By prioritizing fundamental cyber hygiene steps to prevent and address threats, healthcare companies can shore up their vulnerabilities and work together to protect patient data.

Healthcare’s major vulnerabilities

With a rich ecosystem of confidential, personal patient data, health systems are a high-value, low-hanging fruit for hackers looking to extract a ransom, sell to the dark web, or cause chaos.

Though there has been positive rapid digitalization in the healthcare sector, especially since the COVID pandemic, many organizations still rely on legacy technology.

As a first step, basic cyber hygiene practices like upgrading software, updating passwords frequently, using multifactor authentication, and conducting regular employee training can address easily preventable vulnerabilities and thwart lurking insider employee risks.

Health leaders need to focus deeper on two key areas of vulnerability: data security and third-party risks.

Though leaders are aware of the importance of protecting patient data through existing regulations like HIPAA, another component of maintaining data security is ensuring that data sharing is seamless and secure. Organizations must ensure their EHR platforms and related digital systems are regularly updated and follow the most current compliance standards for data storage and sharing. Data encryption is advised to protect healthcare records, regardless of whether those records are being stored or actively shared.

Third party risks pose an enormous threat to health systems due to the sheer number of third-party partners and suppliers that connect into the system: everything from billing services to cloud providers to internet-enabled medical devices represent third party risks. It only takes one of these systems to be compromised to impact the entire health system. It is imperative for healthcare organizations to actively, continuously monitor their third-party partners and conduct comprehensive and periodic audits to ensure ongoing compliance.

Industrywide collaboration is one necessary part of the solution

Today, comprehensive risk management encompasses prevention and resilience: to prevent risks from happening and reacting quickly when a risk event does happen while maintaining business continuity.

Many organizations, especially in healthcare, only focus on the former. In such a regulated industry, compliance can become a box-checking measure. But managing risk is proactive: leaders must go a step further to prepare for future risk and plan for when a risk event occurs.

Health leaders should consider taking a page from another highly regulated, high data volume industry – the banking and financial services industry – when strategizing how to proactively protect against risks.

Banks work together as an industry to disclose risk events, share strategies, and learn from others’ experiences to strengthen their risk programs The FDIC requires this practice as banks are so highly interconnected, having learned the dangers of systemic risk from past non-cyber events like the 2008 housing crisis or the banking crisis of 2023. These events highlighted the need for prevention and resilience, as well as the need for systematic disclosure of breaches.

Similarly, this year’s health breaches showcased just how interconnected health systems are – and how vulnerable they can be if breached. A breach from a third-party partner can disrupt payments, health equipment, ambulance services, and life-saving processes that are not only costly to set right but have devastating consequences on healthcare outcomes.

As health leaders continue to advance the interoperability and digitalization of healthcare systems, they also need to collectively prioritize cybersecurity, data safety, and third-party risk management practices. Strategies for managing risk should be proactive in nature, interconnected across the health system, and continuously enforced not just within the organization but also with third-party partners.

Cyberattacks impact the entire healthcare system – not only for the affected organization but also for the ripple effects that impact the rest of the ecosystem. Healthcare organizations carry a mission to protect their patients, so they owe it to those patients to work together and learn from each other’s best practices for protecting valuable patient data and instilling an industry-wide culture of risk awareness.