2023 Cyber Resilience Report

This is article 8 of 18 in this Report.

August 01, 2023 / 6 min Read

Healthcare Cyber Profile Improved, but Resilience Work Remains

The movement to the Internet of Everything presents an enormous cultural and technological shift for the sector, and every healthcare organization should be laser-focused on developing structures around cyber maturity.

Key Takeaways

  1. Clients reported improved cyber risk profiles with the majority moving from “basic” to “managed”.
  2. The Network and Information Security (NIS2) Directive on the horizon is expected to fuel continued risk improvement. *
  3. Organizations should conduct regular assessments across technical defenses, control maturity, financial impact and insurability.

* The Network and Information Security (NIS2) Directive

From a cyber security perspective, the healthcare industry faces a level of risk that no other sector does.  Decisions must be made around the safety and wellbeing of patients and, while hospital systems are practiced and prepared to manage enterprise risks such as natural disasters, resilience may be less robust when it comes to cyber risk. Still reeling from the pandemic, the healthcare industry faces demanding conditions. After two years of battling against COVID-19, the Public Health Emergency for the sector expired in May 2023, and hospitals and clinics continue to stare down a nursing labor shortage and employee compensation demands1. Alongside this need for more patient care staff is an information technology (IT) talent gap2. From our experience, healthcare organizations frequently outsource IT to smaller companies that may have a different level of security or IT controls sophistication than larger, more established, providers or even the healthcare organization itself. They may also hire contingent or contract workers from other regions, resulting in a lack of visibility around the safety of data flowing in and out of the organization’s network.

This IT talent shortage coexists in a perfect storm with an expanding technology footprint and attack surface. Healthcare organizations today must embrace a new level of digital innovation to help stay ahead and abreast of many solutions, from incorporating hybrid cloud technology to deploying artificial intelligence (AI) telehealth applications and wearable devices. And the more internet connectivity an organization creates via new tooling and applications, the larger the cyber-attack surface becomes. These complex, networked systems allow multiple entry points, and third- and fourth-party risk is more significant.

Exfiltration of sensitive information and theft of intellectual property is a top concern in the life sciences and healthcare sectors, whether those threats come from malicious insiders, hackers affiliated with government or activist groups, or ransomware3. After experiencing an uptick in mergers and acquisitions activity in recent years, the sector faces security risks around data migration when consolidating systems among others. But the danger is not just financial. Cyber security breaches in medical device and MedTech organizations can be life-threatening to those who need an immediate or constant supply of equipment —such as pacemakers and insulin pumps.

The movement to the Internet of Everything presents an enormous cultural and technological shift. Every healthcare organization must be laser-focused on developing structures around cyber maturity while operating in an increasingly regulated and litigious environment. Patients, insurers, and regulators pressure the industry to meet cyber resilience standards, and the penalties imposed for non-compliance can be significant4. Statutes such as the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economics and Clinical Health Act (HITECH) add an element of liability created by business associates, vendors, and other service providers. This complex chain of liability demands that healthcare organizations look at cyber risk holistically and are painstaking about risk transfer strategies and mitigation. In fact, cyber insurance carriers now require minimum cyber security controls to obtain or retain cyber coverage.  Healthcare organizations have had to comply with the technical requirements of the HIPAA Security Rule for many years but in our review of the data there is increased scrutiny on cyber maturity due to the proliferation of cyber-attacks.

Aon Clients Report: Healthcare Industry and Risk Maturity

The median percent of the IT budget reportedly spent on security also rose globally, with healthcare companies reporting 8 percent of the IT budget dedicated to security.

Per Aon’s CyQu5 assessment, the overall cyber risk score improved from 2.6 to 2.8 (on a scale of 4) in 2022 for mid-market clients, and 70 percent of the companies reported scores higher than 2.5 in 2022. This indicates that companies are operating at a “basic” level of cyber maturity but approaching “managed”. For enterprise and global clients, the overall risk profile improved from “basic” to “managed”, and more than 80 percent of the companies reported scores higher than 2.5. The impact of The Network and Information Security (NIS2) Directive on the horizon is expected to fuel continued risk improvement.

CyQu Risk Scores for Health Care and Social Assistance Client Segments

Annual Revenue (group) 2020 2022 Change
Global
2.1
2.9
+0.8
Enterprise
2.0
2.8
+0.8
Mid-Market
2.6
2.8
+0.2
SME
2.3
2.5
+0.2

CyQu Risk Maturity Scoring

Initial: 1.0 - 1.9

Basic: 2.0 - 2.5

Managed: 2.6 - 3.4

Advanced: 3.5 - 4.0

In the U.S., while healthcare organizations reported overall maturity improvement, they claimed advancements in only four of nine IT control domains. Aon’s Ransomware Supplemental Applications red flag controls data show that U.S. healthcare companies reported significant improvement in the implementation of crucial underwriting multifactor authentication (MFA) controls (77 percent vs. 64 percent in 2021). We anticipated this advance, as ransomware has been reported to be a top three risk for healthcare organizations, and the insurance market drove a focus on MFA. Vendors should be testing for vulnerabilities on a regular basis as well as have the same strict cyber security controls required by most cyber insurance carriers.


Percent of Lack of Critical IT Controls' for Given Industry in US (red flags)


UK healthcare organizations reported that IT controls implementation in 2022 was less robust than their U.S. counterparts across all categories. According to Aon’s Ransomware Supplemental Applications red flag controls data, organizations lacked 63 percent of network and data security controls. The most secure control group for UK healthcare organizations was patch management, with almost 80 percent of controls deemed adequate.


Percent of Lack of Critical IT Controls' for Given Industry in EMEA and UK (red flags)


Actions for Healthcare Organizations

Understand Your Exposures

Conduct regular assessments across technical defenses, control maturity, financial impact and insurability. Determine what vulnerabilities threaten significant human or material loss and quantify this potential loss to better inform budget decisions within a return on security investment model. Leverage understanding of the organization’s risk profile and security posture to access viable risk transfer solutions. Importantly, investigate third parties and vendors to help mitigate supply chain threats, and conduct insider risk assessments to better manage the growing threat of malicious, intentional insider threat actors.

Tie Your EEOC to Cyber Risk

Leverage the strength of your organization’s Enterprise Emergency Operations Center  to build cyber resilience. Conduct cyber risk scenario planning, develop incident response plans, and incorporate cyber risk into current tabletop exercises.

Prepare for NIS2 Directive.

Understand the scope of the Network and Information Security (NIS2) Directive6, an EU-wide legislation that applies to Healthcare, life sciences and pharmaceutical organizations. Some of the biggest changes with NIS2 are the specified management liabilities and administration fines for non-compliance. It calls for direct action in some key cyber security areas and outlines new controls that must be implemented, along with new guidance on how significant incidents should be reported. Understand what applies to your organization and how to prepare.

Align IR and Business Continuity Planning

Eliminate the division between business continuity and incident response preparedness. Conduct a diagnostic review of existing plans and run a business impact analysis. Consider what downtime looks like. Break down silos as much as possible to take a holistic view of risk and ensure that goals, processes and procedures are aligned.

References

1 “The six challenges facing healthcare in 2023 and how to handle them.” Advisory Board. Daily Briefing. 2023.

2 “Cyber Security Talent Gap: Use These Solutions to Help Rectify Ongoing Issue.” Aon. Article. January 2023 Cyber Security Talent Gap: Use These Solutions to Help Rectify Ongoing Issue | Aon.

3 “A Game of Cat and Mouse: Outpacing Cyber Threats Across Industries.” Aon. Article. March 2023. https://www.aon.com

4 “How to avoid the devastating consequences of HIPAA non-compliance.” HFMA. Serrano, Hernan. Article. May 29, 2019.

5  Aon’s Cyber Quotient. Patent-pending technology.

6 NIST Cybersecurity Framework 2.0. Retrieved from https://eur-lex.europa.eu/eli/dir/2022/2555/oj


Insurance products and services are offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida, and their licensed affiliates.

The information contained herein and the statements expressed are of a general nature, not intended to address the circumstances of any particular individual or entity and provided for informational purposes only. The information does not replace the advice of legal counsel or a cyber insurance professional and should not be relied upon for any such purpose. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.