Healthcare is no longer delivered solely on sprawling fortress-like hospital campuses. The landmark Affordable Healthcare Act and rapidly evolving connectivity have decentralized healthcare in unforeseen ways. Sure, there are still large hospitals, but more and more of the nation’s healthcare is being delivered in smaller doses: corner clinics, chain drugstore walk-ins, or smaller satellite campuses. And, of course, more and more healthcare is being dispensed in the patient’s residence. From blood-glucose monitoring to pacemakers, the hospital has come home.
“It’s definitely a different universe than the one healthcare used to inhabit, but all of these changes in how healthcare is delivered have created vast new attack surfaces to defend,” says Wayne Mitchell, a cybersecurity consultant in Austin, Texas.
Cybersecurity spending is not impacted by economic headwinds
I recently visited a small healthcare facility in rural northwest Ohio that provided walk-in care to patients from within a 50-mile radius. The director shared that even though her budget was under strain, the one thing she couldn’t cut was the cybersecurity expenditure. In fact, she recently upped her contract with a local managed service provider (MSP) to broaden their services.
A new report from Nuspire, a Michigan-based MSP, confirms what I experienced – that healthcare providers are a prime opportunity for MSPs and MSSPs in 2023. The report states:
“The ever-evolving cybersecurity landscape and end-user error and education remain the biggest challenges for CISOs/ITDMs, with end-users accounting for much of their worries, specifically malware/ ransomware, phishing, and cloud security breaches.”
Some key takeaways from Nuspire’s annual CISO report:
- 10 percent of CISOs and ITDMs manage all their cybersecurity needs in-house.
“This statistic is very illustrative of the fact that healthcare is hurting for in-house talent, but if they can’t do it in-house, an MSP is a logical option, and MSPs need to position themselves that way,” Mitchell says.
Other findings include:
- 42 percent of CISOs/ITDMs say that their budget for cybersecurity has increased and that their spending will follow, despite recent economic trends pointing toward a recession.
The report also points to Cybersecurity insurance as growing in popularity. According to the report: “2023 trends reveal more stabilization within the cyber insurance industry. The skyrocketing rates in 2021 and 2022 are starting to slow, the underwriting process is improving, and organizations feel better prepared to adhere to policies’ stringent requirements.”
MSPs find opportunity in awareness training and incident response
The report also highlights a few other areas where demand for MSP services is on the rise:
Employee education and awareness training: Outsourcing training has become a “must have” as few organizations feel equipped to handle it in-house. This is a service that many MSPs are far better equipped to handle.
Incident response: Companies are realizing the need for quicker and more thorough incident response. Minutes equal money and a slow response can be the difference between inconvenience and catastrophe.
The healthcare clinic I visited in Ohio experienced a ransomware attack in January, which shut down their systems. Medication had to be dispensed the old-fashioned way, and some critical-care equipment was rendered useless. Fortunately, their MSP was able to have the clinic back up and running within six hours.
“The incident response was something we could not have done in-house,” the director noted. “There is no way we could have handled that internally; our MSP was able to focus on getting our systems back up while we focused on patient care.”
She doesn’t blame the MSP for lax security for the attack and goes on to explain, “We actually skimped on that part of their service package, and we ended up paying a much higher price, so that won’t happen again.”
Security vulnerabilities require an appropriate response
So, if healthcare clients are finding themselves with more money to spend on MSP-provided cybersecurity, what are some of the critical areas to focus on in client engagement?
Mitchell says MSPs can pitch their ability to monitor anomalous data trends, which may point to a breach somewhere in the ecosystem. Other aspects MSPs can push include:
- Cloud security: Healthcare organizations are increasingly moving to the cloud, which creates new security challenges. MSPs can help healthcare organizations secure their cloud environments by implementing appropriate security measures.
- IoT security: Healthcare organizations also increasingly use Internet of Things (IoT) devices, such as medical devices and wearables. These devices can be vulnerable to cyberattacks, putting patient data at risk. MSPs can help healthcare organizations secure their IoT devices by implementing appropriate security measures.
- Data privacy and compliance: Healthcare organizations are subject to various data privacy and compliance regulations, such as HIPAA. MSPs can help healthcare organizations comply with these regulations by implementing appropriate security measures.
Healthcare is an area that may be able to withstand an economic downturn, something MSPs should view as an opportunity. “The economy could crash, but people will still need healthcare and that PHI will still need safeguarding,” Mitchell concludes.
Photo: SOMKID THONGDEE / Shutterstock