New Year’s Resolutions: Cybersecurity Preparedness Remains Imperative for the Healthcare and Life Sciences Sector
As another year approaches, few industries face as much risk or are as frequently targeted by cybersecurity threats as the healthcare and life sciences sector. With the value of the data these organizations maintain and the operational havoc that can be inflicted on an industry whose primary mission is to save lives, regulators are paying close attention to how organizations are bolstering their protection against threat actors, and it will be incumbent that healthcare leaders take concrete actions to enhance their cybersecurity preparedness in 2024.
In the fourth annual FTI Consulting Survey: U.S. Healthcare & Life Sciences Industry Outlook 2024, we asked more than 250 leaders of healthcare and life sciences companies in the U.S. about their expectations for the sector in 2024.[1] Heading into the new year, leaders are acutely aware of the cybersecurity threats looming large over the industry. Survey respondents cited cybersecurity threats as the industry’s second biggest risk for 2024, second only to economic uncertainty – a steep climb from the 7th biggest risk last year. And with good reason – cybersecurity incidents can lead to significant operational, legal, financial and reputational consequences for healthcare organizations.
Do you have a cyber crisis response plan in place? Contact us for a complimentary 360-assessment.
According to the survey, half of all leaders feel their organization is vulnerable to a potential cyber attack or incident. Malware and ransomware (54%), incidents that involve privacy violations (i.e., Health Insurance Portability and Accountability Act (HIPAA), Personally Identifiable Information (PII)) (46%), and phishing (41%) remain top of mind as clear risks. Notably, as organizations take on permanent hybrid work models, more than one-third (36%) of respondents think this hybrid structure will increase cybersecurity risk for their organizations.
This past year also brought heightened attention from Washington on healthcare and life science organizations’ cybersecurity preparedness and reporting. In March, the Biden administration released its new National Cybersecurity Strategy, which aims to better protect critical infrastructure by strengthening cybersecurity and technology governance and risk management.[2] Over the summer, the Securities and Exchange Commission (SEC) adopted rules requiring registrants to disclose material cybersecurity incidents they experience and material information regarding their cybersecurity risk management, strategy, and governance on an annual basis, as a safeguard for investors.[3] And as recently as early December, the Department of Health and Human Services (HHS) released a concept paper noting the patient safety risks caused by cyberattacks cause, seeking further support from Congress to promote cybersecurity resilience for the healthcare sector through a combination of incentives and enforcement measures.[4]
Q4 2023 Healthcare Quarter in Review
In light of these rapidly growing cybersecurity risks and regulatory pressure on the industry, healthcare and life sciences organizations of all kinds should consider the following New Year’s resolutions to enhance their cybersecurity preparedness in 2024.
Resolution #1: Prepare to Comply with the New Cybersecurity Regulations Set by Washington
With the new cybersecurity strategies and rules outlined above, and louder calls than ever before from lawmakers and investors to tighten guidance, it will be imperative that healthcare leaders have the right partners by their side to navigate this rapidly changing regulatory environment. Particularly for publicly traded biotech and pharma companies, the new SEC rules beginning to take effect will require registrants to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing. As legal precedent for this materiality is established, its essential companies stay up to date on how adoption of this rule is evolving. Key to this readiness will be establishing communications plans for these types of disclosures and testing those plans before an active incident.
Resolution #2: Enhance Incident Response Planning and Training
While maintaining acute awareness of the transforming cybersecurity landscape is a vital first step, on its own this will not be enough. Healthcare and life science organizations need to be prepared to demonstrate cybersecurity crisis communications readiness to investors, regulators, employees, media, and patients. Thankfully, in the last year, healthcare leaders have continued to adopt a preparedness mindset and are investing in cybersecurity crisis planning efforts. More than half of the industry (55%) already has a crisis communications plan in place for cyber attacks or incidents, and more than one-third (37%) has participated in a cyber-related crisis simulation or table-top exercise. An even larger number of industry leaders (46%) are considering a simulation or table-top exercise for 2024. This interest is with sound rationale -even if a cybersecurity incident response procedure is documented, it is only as effective as leadership’s understanding of the protocol and their ability to act on it. Cybersecurity table-top exercises offer controlled environments for leadership teams to pressure test existing response plans and build muscle memory for effective incident response. The return on these exercises is even greater when guided by external crisis preparedness experts who can provide objective feedback, recommendations, and insights on areas for enhancement.
Resolution #3: Scenario Plan Ahead of Aggressive Threat Actor Escalations
Threat actors continue to evolve their ransomware extortion tactics to impose maximum pain on an organization to elicit payment. And they will not let up on healthcare and life sciences organizations. The industry has witnessed an acceleration of aggressive extortion tactics. Not only are threat actors continuing to “name and shame” victim organizations on their leak sites and post stolen data, but ransomware gangs are also directly contacting staff, sending packages to executives’ homes, and outing public company victims to the SEC. It is important for healthcare and life sciences leaders to stay ahead of the curve and determine, in advance, their internal and external communications posture and messaging approach for these and other potential scenarios.
Resolution #4: Ensure Staff Are Up to Date on Cybersecurity and Data Privacy Policies
The prevalence of cybersecurity incidents presents an opportunity to refresh staff on organization’s existing data retention, cybersecurity, and social media policies, especially those that are healthcare, PII, or HIPAA specific. With 41% of the industry still adopting a hybrid working model, where staff operate from decentralized locations and servers, individual awareness of these policies and maintaining good cyber hygiene is crucial. Reinforcing policies and the importance of data security and privacy through periodic training exercises and awareness programs is an effective way to consistently build cybersecurity hygiene across all organization levels and among third party vendors or contractors. The effectiveness of keeping individuals diligent can be multiplied by having a dedicated team in place to monitor for early signs of incidents of all kinds, including insider threats and misinformation campaigns.
Resolution #5: Assess Cyber Risks Introduced by Third Parties
It is common for healthcare and life sciences organizations to rely on vendors, suppliers, and contractors to assist with their day-to-day operations, and these third parties are often granted access to the organization’s network or data as part of that working relationship. While outsourcing can create efficiencies, healthcare and life sciences organizations need to understand and plan for potential impacts if a connected entity suffers a cybersecurity incident. The global MOVEit incident impacted a number of healthcare organizations and underscored the significant downstream effects of third-party cybersecurity incidents. As part of their incident response planning efforts, healthcare and life sciences organizations should be intentional about assessing their third-party risks and developing mitigation plans accordingly.
In 2024, the healthcare and life sciences industry will see a greater focus on cybersecurity by patients, providers, regulators, and investors than ever before. Now is the opportune moment for the sector to administer its own preparedness measures and proactively invest in readiness for the challenges and changes ahead.
Contact us for a complimentary 360-assessment to fortify your cyber crisis response plan.
[1] Lauren Crawford Shaver, Robert Stanislaro, Jim Polson, Jamie Singer, Ben Herskowitz, James Condon, Jacqui Wilmot, Cady Hoffman and Ronelle Green, “Biopharma in 2024: At a Crossroads,” FTI Consulting, Inc. (December 8, 2023), https://fticommunications.com/2024-healthcare-life-sciences-industry-outlook-biopharma-at-crossroads/.
[2] “FACT SHEET: Biden-Harris Administration Announces National Cybersecurity Strategy,” The White House (March 2, 2023), https://www.whitehouse.gov/briefing-room/statements-releases/2023/03/02/fact-sheet-biden-harris-administration-announces-national-cybersecurity-strategy/.
[3] “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure,” U.S. Securities and Exchange Commission (Federal Register Publish Date August 4, 2023), https://www.sec.gov/rules/2022/03/cybersecurity-risk-management-strategy-governance-and-incident-disclosure#33-11216.
[4] “HHS Announces Next Steps in Ongoing Work to Enhance Cybersecurity for Health Care and Public Health Sectors,” U.S. Department of Health and Human Services (December 6, 2023), https://www.hhs.gov/about/news/2023/12/06/hhs-announces-next-steps-ongoing-work-enhance-cybersecurity-health-care-public-health-sectors.html.
The views expressed in this article are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals. ©2023 FTI Consulting, Inc. All rights reserved. www.fticonsulting.com |
