Cybercrime is the greatest threat to every company in the world.
—Ginni Rometty, former CEO, IBM
Introduction
The healthcare industry faces unprecedented challenges, from shrinking profit margins and rising costs to regulatory complexities and the threat of new market disruptors. Failed enterprise cyber risk management (ECRM) programs and cybersecurity strategies only exacerbate business and clinical challenges. Chapter 2 of Stop the Cyber Bleeding: What Healthcare Executives and Board Members Must Know About Enterprise Cyber Risk Management (ECRM) emphasizes the critical role of enterprise cyber risk management (ECRM) in addressing these challenges. By integrating cyber risk management into the broader enterprise risk management framework, healthcare organizations can protect their financial health, ensure compliance, facilitate mergers and acquisitions, compete with disruptors, and maintain their reputation.
Protecting the Balance Sheet
Healthcare organizations are experiencing financial pressures from various sources. Labor costs are rising due to a growing demand for healthcare workers and a declining unemployment rate. Pharmaceutical costs are also increasing, with hospitals reporting significant impacts on their ability to manage costs. Technological advancements and investments in new technologies drive substantial healthcare cost increases. Additionally, the ongoing digitization of healthcare, mainly through electronic health records (EHRs), adds to the financial burden as organizations must continually invest in maintaining and updating their systems.
A mature ECRM program can help mitigate these financial pressures by minimizing the risk of cyber incidents that could compromise healthcare data systems and devices. Data breaches and cyberattacks have severe economic consequences, including penalties, fines, legal fees, settlements, and reputational damage. OCR received a 101 percent increase in large breach reports from FY 2018 to FY 2022. In FY 2022, large breaches affected over 55 million people, and in FY 2023, that number soared to over 134 million individuals.
So, as I wrote in a recent article, Heads Up! Massive Increase in Proposed FY2025 OCR Budget: Focus on HIPAA Enforcement and Risk Management
Conquering Compliance Complexities
Healthcare organizations must navigate a complex regulatory landscape, including federal, state, and global regulations. Complying with these regulations is a significant challenge, often identified as a top concern by healthcare executives. For instance, the European Union’s General Data Protection Regulation (GDPR) impacts healthcare organizations worldwide, imposing stringent data privacy requirements.
A comprehensive ECRM program can streamline compliance efforts by providing a foundation for meeting the diverse requirements of various regulations. Many regulations, including HIPAA, CMS contract requirements, GDPR, and others, mandate comprehensive risk analyses as part of their data privacy and security programs. By implementing a robust ECRM program, healthcare organizations can ensure they meet these regulatory requirements efficiently and effectively.
Facilitating M&A Activity
Mergers and acquisitions (M&A) are a prominent trend in the healthcare industry, with numerous deals occurring annually. ECRM plays a critical role in M&A by addressing data security and privacy concerns that can make or break a deal. Data privacy compliance is often one of the most challenging aspects of M&A transactions.
The chapter provides a real-world example of a private equity firm proactively addressing cybersecurity and ECRM issues before selling a data analytics portfolio company. By identifying and mitigating cyber risk exposures, the firm ensured that ECRM was a non-issue during the transaction, facilitating a smooth sale. In contrast, the 2017 Verizon acquisition of Yahoo saw a $350 million reduction in the purchase price due to disclosed data breaches, highlighting the financial impact of inadequate ECRM.
Competing with Disruptors
Traditional healthcare providers compete with nontraditional disruptors like Apple, Google, Amazon, and Uber. These technology companies bring significant resources and expertise in leveraging data to improve the consumer experience and patient outcomes. However, they must also demonstrate that they can manage the healthcare industry’s specific security and privacy requirements. With their balance sheets and global regulatory experience, the disruptors have the resources and expertise to meet these requirements efficiently.
For example, Uber Health partnered with Clearwater to conduct ongoing risk analyses and ensure HIPAA compliance, thus earning the trust of provider partners and patients. By proactively addressing cybersecurity and ECRM, Uber Health successfully integrated into the healthcare market, demonstrating the importance of a robust ECRM program for traditional providers competing with tech disruptors.
Maintaining Organizational Reputation
Trust is a cornerstone of the healthcare industry. Patients must trust their healthcare providers to act in their best interest and protect their personal information. Chapter 3 of Stop The Cyber Bleeding underscores that data breaches and cyberattacks can severely damage an organization’s reputation, leading to loss of patient trust and financial repercussions.
One large urban health system experienced successive data breaches, prompting a regional competitor to launch a public relations campaign questioning the health system’s ability to protect healthcare data. This example illustrates the importance of maintaining a solid reputation through effective ECRM. As Warren Buffet famously said, “It takes 20 years to build a reputation and five minutes to ruin it.”
Leveraging ECRM to Address Challenges
An effective ECRM program can help healthcare organizations address a range of challenges. By protecting the confidentiality, integrity, and availability (CIA) of health information and systems, organizations can reduce the risk of financial losses due to cyber incidents. ECRM also aids in regulatory compliance, facilitates successful M&A transactions, enhances competitiveness against disruptors, and preserves organizational reputation.
Historically, healthcare organizations have viewed ECRM and cybersecurity as isolated IT issues. However, the chapter argues that you must view ECRM as a business enabler that supports the entire organization’s goals. Senior leaders and board members can leverage ECRM as a competitive advantage by providing much-needed oversight and leadership.
Conclusion
Chapter 2 of Stop the Cyber Bleeding recognizes healthcare organizations’ financial, technological, workforce, regulatory, patient experience, competitive, consolidation, and cybersecurity challenges. It then provides thoughtful, actionable advice on how organizations can address these challenges. Further, it introduces the notion that a strong ECRM program and cybersecurity strategy can help address these challenges and create business value.
While this article clarifies significant challenges in the healthcare industry, it is just the beginning. With patient lives and organizational viability on the line, there is no room for complacency. Read more specific, tangible recommendations healthcare leaders must take to establish, implement, and mature robust ECRM programs, ensuring they meet the evolving standards of care and legal requirements in the digital age. Grab your copy of Stop the Cyber Bleeding today.