The evidence is clear, healthcare providers that underfund their cyber resilience plans suffer serious financial impacts following a security breach or ransomware attack. The immediate needs are to find funds for system recovery, staff overtime, and legal costs, and doing that while maintaining adequate cash reserves to remediate the vulnerabilities that contributed to the initial breach.
While these are substantial, other more significant challenges will soon emerge including cash flow disruptions that can approach an estimated $100,000 per bed (or $50M for a typical 500-bed hospital) resulting from months of delayed claims processing.
The transition to downtime procedures requires clinicians to document treatment manually using paper records. Transcribing those paper records back into the EHR also introduces billing inefficiencies, such as lost charge capture, which can reduce revenue by 6% of the gap in billing, which equates to 1% of total revenue on an annual basis.
In competitive markets, cyberattacks have also been shown to cause patients to lose confidence and seek new providers, further eroding long-term revenue. In some cases, this has led providers who were ill-prepared unable to recover from this confluence of events, closing their doors forever such as this small practice in Michigan and this provider in California.
CFOs have to make a choice to either start investing in their cyber resilience program or make contingency plans to recover following a likely cyberattack. The logical answer is both, because history has proven that hospitals cannot prevent 100% of attacks. Equal time must be allocated to preparing for a recovery after an attack. The question is why, but the answers are simple. First, healthcare appears to be one of the least prepared sectors, underfunding security by 40% compared to banking and manufacturing.
Only in 2019 did hospitals break, on average, the 6% funding threshold for security investments compared to IT investments. When compared to other industries’ 10%+ ratio, the gap becomes apparent. Second, healthcare organizations are being targeted as easy victims, as there were 491 reported ransomware attacks on healthcare organizations in the first nine months of 2019.
Governments, including municipalities, were a distant second with 68 attacks and educational institutions were third with 62 attacks. Healthcare also makes a good target because of the need to always provide care. Downtime is just not an option in a Level I trauma center.
Measuring Cyber Resilience Using the Now or Later Model
The ability to deliver patient care and simultaneously supporting back end operations despite an adverse cyber event is called cyber resilience. Often organizations will find they need to invest in the business to be truly cyber resilient and the trend is going in that direction, but a large portion of healthcare CFOs choose to ignore cybersecurity and instead opt to invest in other aspects of the business.
The typical CFO responses to cybersecurity can be put into two buckets; invest later when budget and time allow, but most organizations rarely experience those opportunities, or worse yet they invest after a cyber incident occurs.
Those CFOs that experience a cyber-induced outage will attest that waiting to address the risk will result in a greater revenue loss than if the investment was made the first time. As John F. Kennedy said, “The time to repair the roof is when the sun is shining.”
How Can a CFO Influence Cyber Resilience of an Organization?
Healthcare CFOs have ultimate control over their organization’s ability to build a cyber resilience program and investment decisions require accurate information. Unfortunately, metrics that can reveal the potential of an organization’s ability to respond and recover from a cyberattack are not often collected or shared. CFOs can quickly gain insight by looking beyond the budget into how the cyber resilience responsibilities are assigned and monitored.
- Get involved: Review the last two after action reports from recent cyber resilience program exercises. Verify that gaps are identified in the report and that they are tracked as risks.
- Expand scope: Verify that executives for all critical, functional areas have business continuity plans and participate in the exercises. Ask each department lead how they would continue operations using totally manual processes assuming IT functions were unavailable.
- Validate: Add a cyber resilience review assessment to next year’s budget. Conduct a simulated ransomware attack to understand where the weaknesses are and how an incident could financially impact the business.
- Increase visibility: Track cybersecurity and business continuity spending separately and add the topic of conversation to regular C-suite discussions.
- Independent perspective: Invite the third-party risk assessment vendor to lead an executive workshop. These workshops are high-level and offer key initiatives to positively improve maturity of an organization’s security program.
Cybersecurity may not feel like it’s in the CFO’s wheelhouse or purview, but ultimately the health and success of the organization falls on the shoulders of every one of those that make up the leadership team. It is imperative to have the entire c-suite on board with your organization’s ability to prepare, respond, and recover from a cyberattack.