News

More than a Third of Medical Practices Can’t Cite Cybersecurity Response Plan, Study Finds

• By John K. Waters
• 10/28/2024

In the face of escalating cyberattacks, more than a third of medical practices in the United States are failing to implement cybersecurity response plans, leaving them exposed to potentially devastating data breaches, financial penalties, and patient safety risks, according to a recent report by Software Advice. This comes as Congress considers new federal cybersecurity standards for the healthcare industry, aiming to establish stronger defenses and reduce vulnerabilities to malicious digital threats.

Software Advice’s latest survey ("Six Critical Elements of a Strong Cybersecurity Incident Response Plan for Healthcare Practices") reveals that 59% of healthcare practices affected by ransomware attacks reported disruptions in patient care, a stark reminder of the immediate impact cyber incidents can have on the sector. Unlike other industries, the stakes in healthcare are exceptionally high: a cyberattack can make critical medical records inaccessible, halt the operation of vital devices, and delay emergency procedures, with potentially life-altering consequences.

"Downtime from a cyberattack can disrupt production, profits, and reputation for most businesses, but in healthcare, it means inaccessible medical records, malfunctioning devices, and delayed critical procedures," said Lisa Morris, associate principal medical analyst at Software Advice, in a statement. "To mitigate these risks for patients, it’s essential to implement robust cybersecurity measures, including response plans and employee training."

The urgency to protect medical data is prompting legislative action. The proposed Health Infrastructure Security and Accountability Act aims to set minimum cybersecurity requirements across the healthcare sector, a move lauded by experts as a long-overdue measure to safeguard patient data and healthcare operations. If enacted, the legislation would represent a significant step toward formalizing standards that have been largely recommended but not mandated, leaving many providers vulnerable.

Healthcare practices are, however, increasingly adopting foundational cybersecurity measures. Software Advice’s research shows that 89% of practices have implemented two-factor authentication (2FA), a basic but effective measure for safeguarding against unauthorized access. Yet, the lack of a comprehensive incident response plan—a more proactive and holistic approach to cybersecurity—suggests that many organizations remain ill-prepared for increasingly sophisticated attacks.

The financial toll of a cyber incident is also severe. For healthcare providers, the costs go beyond data recovery, often including steep legal fees, forensic investigations, and regulatory fines. The reputational damage is equally concerning; a single breach can erode patient trust and lead to a loss of clientele as patients seek care from providers perceived as more secure.

Experts from Software Advice emphasize that healthcare providers, especially smaller practices, must establish and regularly update comprehensive cybersecurity response plans. Drawing on the latest research, the company highlights six critical components of an effective plan:

• Preparation: Conduct a detailed risk assessment to identify vulnerabilities and establish an Incident Response Team with clearly defined roles.
• Identification: Implement monitoring systems to detect breaches early and assess the severity of incidents swiftly.
• Containment, Eradication, and Recovery: Be ready to isolate compromised systems, remove malware, and safely restore data to normal operations.
• Communication: Set up clear internal and external communication channels, ensuring that legal reporting requirements are met promptly.
• Documentation and Reporting: Keep meticulous records of actions taken during and after an incident, documenting all responses and compiling a post-incident report.
• Post-Incident Review: Analyze the incident response and identify areas for improvement, integrating any lessons learned to bolster the plan against future threats.

"A solid incident response plan can mean the difference between a brief interruption and a prolonged crisis," Morris said. "With such a plan in place, a practice is not only protecting itself but also safeguarding its patients and their data."

Although larger hospitals often have the resources to invest in advanced cybersecurity tools, small to mid-sized practices frequently operate on limited budgets, making the cost of robust cybersecurity software prohibitive. Nevertheless, given the rise in healthcare-focused cyberattacks, experts stress that the cost of failing to invest in cybersecurity could be far greater.

The healthcare industry is gradually recognizing the value of advanced tools, such as email security protocols, firewalls, and real-time threat detection systems. These technologies, combined with a cybersecurity response plan, form a multi-layered defense essential for protecting against modern threats.

For medical practices seeking to strengthen their cybersecurity, Software Advice provides guidance, recommendations, and verified user reviews to aid in selecting tools designed to meet the demands of the healthcare environment.

As healthcare providers await the possible implementation of federal cybersecurity standards, the onus remains on individual practices to act. Developing and enacting a cybersecurity incident response plan, experts agree, is a crucial step forward in minimizing the impact of cyber threats on healthcare—a sector where data security can directly affect lives.