Survival Against Cyberattacks: Why Hospitals Need Strategy and Policy Support

Cybersecurity failures are putting vulnerable hospitals at risk, prompting healthcare leaders to call for stronger national policies and coordinated defenses.

As cyber threats escalate across the healthcare landscape, hospital leaders are confronting the uncomfortable reality that a data breach today can endanger not only patient privacy, but the survival of their organizations.

With ransomware attacks growing more sophisticated and privacy laws compounding the financial fallout, cybersecurity has become a matter of legal accountability and economic resilience.

In the following excerpt from HealthLeaders’ September cover story, experts outline the ramifications of cyberattacks in healthcare, and the urgent policy action needed to protect vulnerable hospitals and communities.

Legal, Financial, and Survival Stakes

For hospitals and health systems, the protection that cybersecurity provides safeguards more than just financial interests.

Cyber events are foreseeable, which means they carry legal weight, according to Mike Hamilton, field chief information security officer at Lumifi Cybersecurity and former CISO for the City of Seattle. “If you fail to take steps to mitigate a foreseeable risk, you’re guilty of negligence,” he states.

The growing sophistication of attackers means hospitals can’t expect to win every battle. “Hospitals cannot go glove to glove with these people and win,” Hamilton says.

To protect themselves, hospitals should invest in immutable backups and an incident response retainer through an insurance company or through a third-party provider. Done right, that preparation can insulate an organization from worst-case scenarios like class action lawsuits, Hamilton highlights.

Privacy laws complicate the picture. “Our hospitals are taking these huge financial hits,” Hamilton says. “If we had a national privacy statute that supersedes the state’s private right of action, we would lose fewer hospitals. Some of these guys close after a cyberattack.”

Hospitals are already under financial strain from labor costs, inflation, and declining reimbursement. A major cyber event, combined with litigation, can push them to insolvency. That’s why Hamilton frames resilience not just as a technical issue, but as survival economics.

For small and rural hospitals, the stakes are even higher. “That hospital may have an IT department of five people or less sometimes,” Saad Chaudhry, chief digital and information officer at SSM Health and HealthLeaders Exchange member, says. “So imagine what happens when an incident happens here. The communities that count on that hospital now cannot get the care as rapidly as they need.”

The danger isn’t theoretical. In practice, one successful phishing email can paralyze a hospital and force ambulances to divert. For rural communities, it could mean hours-long delays in care. “That could be the difference between life and death,” Chaudhry says.

Outsourcing help often costs more than insourcing, he notes, yet rural facilities often lack the cash for either. “Rural America needing resources to respond to attacks rapidly is absolutely a critical investment factor for the United States,” Chaudhry says.

Hamilton worries that without intervention, “the big companies are going to come in and scoop up rural hospitals for pennies on the dollar” after attacks push them to the brink.

Policy Gaps and Regulatory Solutions

Both Chaudhry and Hamilton believe policy changes are key, with alignment of resources needed at the state and federal level of government.

Chaudhry envisions a government-sponsored cybersecurity response network with rapid response built in, “no different than when our phones lose signal and you can still call 911.” Certification could ensure only truly resource-limited hospitals qualify.

He cautions against policies that are too broad or too complex. “If you just make it too broad, then the people that actually need the help may not get all the help they want because the funds and network will be separated out. If you make it too hard, then the people that actually need it may not actually get it.”

Hamilton advocates for a national privacy statute to prevent costly lawsuits after breaches and a targeted grant program to support rural healthcare. “We need a grant program specifically to reach out to rural health. Being able to mitigate to blunt the loss of Medicaid money with a grant program is a really good idea.”

He also points to the role of states in filling gaps left by federal agencies. For example, the Cybersecurity Information Sharing Act (CISA) of 2015 is set to expire at the end of September unless Congress acts. The law has allowed for the rapid sharing of threat intelligence between the federal government and private sector.

“If information sharing degrades after CISA 2015’s sunset, hospitals–and all other critical infrastructure–very likely will lose crucial early warnings about ransomware variants and other attack methods,” Cynthia Kaiser, former deputy director of the FBI’s cyber unit, wrote in Fortune. “When a hospital’s systems are threatened, rapid information sharing matters.”

Hamilton believes states should aim to recreate the information sharing that will be lost if CISA expires.

“One big thing that states really need to get in front of here is statewide monitoring,” Hamilton says. “So the state will have a [security operations center] and do that for the benefit of everybody else.”

The HealthLeaders Exchange is an executive community for sharing ideas, solutions, and insights. Please join the community at our LinkedIn page. 

To inquire about attending a HealthLeaders CEO Exchange event, email us at exchange@healthleadersmedia.com.