Hospitals and health systems across the U.S. are increasing cybersecurity budgets, and C-suite executives anticipate spending even more this year.
HIMSS surveyed 229 healthcare cybersecurity professionals, with nearly half from healthcare providers, and found 55.3% increased cybersecurity budgets from 2022 to 2023. Organizations historically spent 6% or less of the IT budget on cybersecurity, but that percentage is increasing to 7% to 10%-plus for many hospitals. More than half, 57.5%, of respondents expect cybersecurity budgets to grow again in 2024, according to the report.
Bill Pack, CFO of Conway (Ark.) Regional Health System feels the pinch.
"There have been so many larger breaches and they can be so devastating financially and from a reputation standpoint, which further erodes trust with our patients and the industry in general," he said during an interview with the "Becker's Healthcare Podcast."
A Change Healthcare cyberattack in February disrupted the revenue cycle and cash flow for hundreds of hospitals, some of which are still recovering. The attack sparked even further increases in many health system cybersecurity budgets, sometimes at the expense of other projects.
"We've got to grow, but having the resources to invest where we want to is really being challenged by having to invest so much into IT and into cybersecurity," said Mr. Pack. He said the health system is investing in robust cybersecurity measures and compliance with future data protection and cybersecurity regulations.
The Change Healthcare breach spooked large and small systems alike. Even if a hospital makes all the right decisions internally, they are still impacted when vendor partners with less stringent cybersecurity defenses experience a breach.
"We're having to spend more money and invest more money in IT software for cybersecurity and making sure our systems continue to run," said Chris Carmody, senior vice president of UPMC Information Technology Division and Chief Technology Officer of UPMC, during an interview with the "Becker's Healthcare Podcast." "We would rather be investing in new services and growing service lines, and doing all the things we want to do right now, but we're hampered by having to invest so much in IT right now."
UPMC is also stepping up internal efforts for cyber hygiene as an important defense mechanism.
"It takes everyone at UPMC to help protect our organization from cybersecurity threats because typically people are the weakest link where they clinic on a link or respond to an email and it creates an exposure that we have to deal with. We're focusing on that: keeping cybersecurity front of mind in the already busy minds of our nurses, doctors and techs taking care of patients."
UPMC's cybersecurity team continues to upskill and support everyone working at the top of their abilities. Mr. Carmody said the system is exploring different ways to automate identifying threats and preparing for remediation and recovery.
"This is all risk management," said Mr. Carmody. "It changes from day to day, hour to hour, based upon what's happening out there in the industry. We're always trying to pay attention to what zero day threats are occurring, not just in healthcare, but beyond, and looking at our own inventory of technologies that we have deployed and making sure we're staying up to date with the patches and fixes.
The system is making sure individuals are in the right positions to align with UPMC's mission and protect the organization.
"If you don't do [IT hygiene] well, you're really putting yourself in a bad position to combat against all the cybercriminals out there that are trying to be disruptive to the healthcare industry and beyond," said Mr. Carmody.