“Data Without Trust Is Dangerous: The Case for Risk-Informed Innovation”
Post Summary
Healthcare data breaches are expensive and dangerous, costing an average of $10.93 million per incident. Beyond financial losses, they erode patient confidence, disrupt medical care, and slow innovation. In 2024 alone, 273 million patient records were exposed in the U.S., with ransomware attacks and IoT vulnerabilities leading the charge.
The solution? Healthcare organizations must focus on risk-informed strategies that balance security and innovation. This includes:
- Strengthening cybersecurity with frameworks like NIST.
- Implementing real-time monitoring and role-based access controls.
- Collaborating across teams to align security with patient care.
- Prioritizing vendor management and staff training.
Industry Perspectives: Using risk mapping to improve healthcare cybersecurity
Cybersecurity Risks in Healthcare Organizations
Healthcare organizations are navigating a minefield of cybersecurity threats. With valuable data, intricate systems, and ever-evolving attack methods, even the smallest vulnerability can lead to catastrophic outcomes. Let’s break down these risks, starting with breaches, ransomware, and vulnerabilities in connected devices.
Major Threats: Breaches, Ransomware, and IoT Vulnerabilities
Data breaches have become a major concern, affecting 237,986,282 U.S. residents in 2024 alone. Healthcare data, which can fetch up to 10 times more than credit card information on the dark web, has become a prime target [3] [6]. The financial toll is staggering: the average cost to remediate a stolen healthcare record is $408, compared to $148 for non-health records [3]. Phishing-related breaches in 2024 averaged a jaw-dropping $9.77 million per incident [6].
Ransomware attacks have surged by 300% since 2015 [8]. These attacks don’t just lock up data - they can halt critical, life-saving operations. For example, in 2020, Brno University Hospital in the Czech Republic, a key COVID-19 testing center, had to postpone surgeries and disconnect its networks, forcing staff to revert to pen and paper [1].
"Cybersecurity is as essential as medical expertise. Ransomware attacks on healthcare systems are increasingly putting patient lives and sensitive data at risk." - DriveLock [7]
The human cost is chilling. Between 2016 and 2021, ransomware attacks were linked to 42–67 Medicare patient deaths [8]. These incidents also led to an 81% increase in cardiac arrest cases at nearby hospitals [8] and raised mortality rates by over 20% [11].
Large-scale attacks further highlight the risks. In 2024, the ALPHV/BlackCat ransomware group targeted Change Healthcare, exposing the health data of over 100 million people. The financial fallout ranged from $872 million to $1.15 billion. Change Healthcare paid a $22 million ransom, and 74% of hospitals reported disruptions to patient care, with federal reports warning of "a direct threat to critically needed patient care" [4] [12].
IoT and medical device vulnerabilities add another layer of complexity. The increasing number of connected devices creates countless entry points for cyberattacks, potentially compromising entire hospital networks [1].
The Price of Poor Risk Management
The consequences of inadequate risk management go far beyond immediate threats, leading to severe financial, operational, and reputational damage.
Financial losses in healthcare cybersecurity incidents are astronomical. The average cost per incident in healthcare is nearly $10 million - three times higher than in other industries [12] [3]. Ransomware attacks alone cost an average of $1.4 million per incident, with some payments reaching $4.4 million [11] [8].
Operational disruptions can cripple healthcare systems for months. For instance, the University of Virginia Health System faced 19 months of operational challenges after a malware attack, significantly impacting patient care [4]. Similarly, the 2017 WannaCry ransomware attack affected 40% of healthcare facilities worldwide, delaying care in hospitals across 150 countries [4].
Loss of patient trust is another devastating outcome. After a data breach, 66% of consumers say they wouldn’t trust the affected organization, and 75% would sever ties altogether [12]. This erosion of trust can lead patients to withhold critical health information, compromising their care and stalling medical research [5].
"The cyber bad guys spend every waking moment thinking about how to compromise your cybersecurity procedures and controls. The best defense begins with elevating the issue of cyber risk as an enterprise and strategic risk-management issue." - John Riggi, Senior Advisor for Cybersecurity and Risk, American Hospital Association [3]
Clinical outcomes also take a hit. In 2024, 57% of healthcare organizations that experienced cyberattacks reported worse health outcomes, including higher mortality rates, longer hospital stays, and more frequent diversions from emergency rooms [4]. In one tragic case, a ransomware attack at an Alabama hospital was cited in a lawsuit claiming it contributed to the death of a newborn baby by preventing access to vital monitoring tools during delivery [8].
Third-party risks amplify these challenges. In 2023, 58% of the 77.3 million individuals affected by healthcare data breaches were impacted by attacks targeting business associates [9]. A 2020 ransomware attack on Blackbaud, a vendor, exposed data for 3.3 million patients across multiple healthcare systems, including Trinity Health [4].
Systemic vulnerabilities - outdated IT infrastructure, insufficient staff training, and weak security protocols - leave healthcare organizations exposed to increasingly sophisticated cyberattacks [5]. With U.S. cybercrime losses hitting $12.5 billion in 2023, poor risk management doesn’t just hurt financially - it undermines the trust that healthcare systems depend on [10].
Case Study: Risk-Informed Innovation in Action
To see how risk-informed strategies come to life, let’s dive into how a large healthcare network revamped its cybersecurity approach while keeping operations smooth and ensuring top-notch patient care.
Challenges: Tackling Complex Risks in a Healthcare Network
This healthcare network, like many others, faced mounting cybersecurity threats. In fact, 92% of healthcare organizations have experienced cyberattacks, highlighting the ongoing struggle to balance innovation with security [16].
The challenges were daunting. The network relied on outdated legacy systems that, while critical to daily operations, were difficult to secure. Upgrading these systems came with hefty costs and significant disruption. As one executive explained:
"Like many healthcare providers, we rely on legacy systems that are critical to daily operations but difficult to secure. The cost and disruption associated with upgrading these systems can be immense, and healthcare providers are often hesitant to overhaul platforms that are deeply integrated into clinical workflows. Our challenge lies in finding a way to modernize our technology without compromising care or introducing unnecessary risk during the transition." [13]
Vendor-related risks added another layer of complexity. The network collaborated with numerous third-party vendors, ranging from medical device manufacturers to cloud service providers. The Chief Information Security Officer described the challenge:
"We depend heavily on third-party vendors for everything from medical devices to cloud services. These vendors' security practices directly impact us, but we often lack full visibility into their cybersecurity protocols. Auditing and vetting vendors for their cybersecurity measures is a time-consuming and expensive process. The challenge is ensuring their cybersecurity measures meet our standards without disrupting our operations or partnerships." [13]
Additionally, a lack of adequate staff training and high turnover rates amplified the network’s vulnerability. Compliance with HIPAA and other evolving data privacy regulations added further strain. One administrator shared:
"Compliance with HIPAA and other data privacy regulations is not optional, but the regulatory landscape is continuously evolving. Ensuring that we are fully compliant while managing the costs of compliance audits, employee training, and technology upgrades is a constant struggle. Additionally, these regulations sometimes create friction between ensuring patient privacy and providing accessible care." [13]
Financial pressures only made things harder. With the high costs of compliance and the steep price of breaches [16], the network needed a strategic, integrated approach to mitigate these risks effectively.
Solutions: Building a Risk-Informed Cybersecurity Framework
Given the complexity of these challenges, the healthcare network turned to a risk-informed strategy rooted in the NIST Cybersecurity Framework’s core functions: Identify, Protect, Detect, Respond, and Recover [14].
The first step was conducting a thorough risk assessment. This included creating a unified inventory of assets, vulnerabilities, and threats across all facilities. With the help of vulnerability management tools, the network monitored device behavior and incorporated data from over 75 sources to track threats in real time [15]. A dynamic risk scoring system kept risks quantified and updated automatically, ensuring resources were allocated to the most critical areas [15].
Technology played a key role. Role-based access control (RBAC) restricted data access, limiting exposure to sensitive information [17]. Real-time monitoring tools were also implemented to identify anomalies early, preventing small issues from escalating into major incidents.
Collaboration was another critical component. Cross-functional teams, including IT experts, clinicians, and administrative leaders, worked together to ensure that security measures aligned with clinical workflows without disrupting patient care.
Vendor management became a priority as well. The network compiled a comprehensive vendor inventory and enforced standardized security requirements for all business associates. Continuous monitoring ensured vendors met these standards [2].
Finally, the organization addressed human factors by fostering a strong security culture. Ongoing cybersecurity training helped staff stay informed about best practices, addressing gaps seen in organizations without formal training programs [16].
Results: Balancing Security, Trust, and Innovation
The results of these efforts were significant. Operational efficiency improved through the use of immutable backups and regular recovery process testing. Manual workflows were also in place to maintain continuity during unexpected downtimes [16].
Strengthened security measures played a key role in rebuilding patient trust. This was critical, as nearly half of patients may hesitate to return to a provider after a data breach [17]. In an era where 86% of consumers read online reviews before selecting a healthcare provider, and 84% avoid providers with poor ratings [16], a strong security posture became a competitive advantage.
Perhaps most impressively, the network’s robust cybersecurity framework enabled the safe adoption of new technologies. From telemedicine to IoT-enabled medical devices, innovations were introduced without compromising security, setting the stage for sustainable advancements in patient care.
This case highlights how risk-informed strategies can effectively balance security, innovation, and trust in the healthcare sector.
sbb-itb-535baee
Frameworks and Tools for Cybersecurity Risk Management
Healthcare organizations need reliable frameworks to protect patient data, manage medical devices, and ensure compliance with regulations.
Using Censinet RiskOps™ and AITM for Risk Management
The healthcare sector requires cybersecurity tools tailored specifically to its unique challenges. As Matt Christensen, Senior Director of GRC at Intermountain Health, explains:
"Healthcare is the most complex industry... You can't just take a tool and apply it to healthcare if it wasn't built specifically for healthcare." [18]
Censinet RiskOps™ is a platform designed specifically for healthcare. It operates as a collaborative risk network, incorporating over 50,000 vendors and products to address risks related to vendors, third parties, patient data, medical records, research, medical devices, and supply chains [18].
The platform has delivered measurable benefits. For example, Terry Grogan, CISO at Tower Health, shared how it improved their operations:
"Censinet RiskOps allowed 3 FTEs to go back to their real jobs! Now we do a lot more risk assessments with only 2 FTEs required." [18]
Censinet AITM, another tool in the suite, simplifies third-party risk assessments by automating tasks like security questionnaires, summarizing vendor documentation, and collecting integration details [21]. It uses AI to validate evidence and draft policies, making risk management scalable while keeping human oversight in place.
Ed Gaudet, CEO and founder of Censinet, highlights the urgency of adopting such tools:
"With ransomware growing more pervasive every day, and AI adoption outpacing our ability to manage it, healthcare organizations need faster and more effective solutions than ever before to protect care delivery from disruption." [21]
Censinet RiskOps also acts as a centralized hub for managing AI-related policies, risks, and tasks, ensuring continuous oversight. James Case, VP & CISO at Baptist Health, points out the collaborative advantages:
"Not only did we get rid of spreadsheets, but we have that larger community [of hospitals] to partner and work with." [18]
These tools are designed to integrate seamlessly with existing regulatory frameworks.
Meeting Industry Standards and Regulations
In addition to specialized tools, healthcare organizations can strengthen their cybersecurity posture by adhering to established industry standards. Frameworks like the NIST Cybersecurity Framework and MARS-E provide structured approaches to managing risks.
The NIST Cybersecurity Framework outlines a comprehensive model with five key functions: Identify, Protect, Detect, Respond, and Recover. By conducting regular risk assessments, implementing continuous monitoring, and training staff on security best practices, organizations can use this framework to address vulnerabilities effectively [20].
MARS-E (Minimum Acceptable Risk Standards for Exchanges) offers specific guidelines for handling patient health information and federal tax data. Designed for ACA-administering entities and their contractors, MARS-E aligns with HIPAA and FISMA requirements. It also mirrors NIST 800-53, which includes 20 control families, making it easier for organizations already familiar with NIST standards to adopt [19].
| Framework/Tool | Description | Use Case |
|---|---|---|
| Censinet RiskOps™ | Cloud-based platform for secure cybersecurity and risk data sharing | Managing risks across vendors, patient data, medical devices, and supply chains [18] |
| MARS-E | Privacy and security standards for ACA-administering entities | Securing patient health information and federal tax data [19] |
Benchmarking against these standards offers additional advantages. Brian Sterud, CIO at Faith Regional Health, emphasizes:
"Benchmarking against industry standards helps us advocate for the right resources and ensures we are leading where it matters." [18]
To bolster cybersecurity, healthcare organizations should classify information assets by their importance, stay updated on emerging threats, and implement measures such as data segregation and continuous monitoring. Establishing due diligence programs to oversee business associates is also critical for safeguarding Protected Health Information (PHI) [22].
Best Practices for Maintaining Trust in Healthcare Data
Trust in healthcare data systems doesn't develop by chance. It takes intentional efforts involving people, processes, and technology. Healthcare organizations that succeed in this area rely on proven strategies addressing both human behavior and technical safeguards.
Creating a Security-First Culture
Building trust begins with every employee - from the front desk to the executive team - taking an active role in protecting patient data. A security-first culture ensures that security is woven into every decision and action.
Organizations that invest in regular cybersecurity training report 30% fewer security incidents. This is especially critical in healthcare, where the average cost of a breach is a staggering $9.77 million [23] [26].
"People are the first and last line of defense in any security strategy." - Pamela Larson, Chief Security Officer, North America, Everbridge [23]
Fostering this culture requires ongoing education and clear communication. Employees must understand not only what actions to take but also why those actions are crucial. Regular training on cybersecurity threats, phishing awareness, and physical security helps staff become proactive in safeguarding data [23].
Leadership plays a vital role in driving this change. As MedPro Group puts it:
"A strong security culture means an ongoing process that is driven not from the IT department but from the top of the organization down." [24]
To measure and improve security culture, organizations often conduct surveys to assess employee attitudes, behaviors, and knowledge about security. These insights allow for tailored training that addresses specific knowledge gaps and risky behaviors [24]. Clear accountability ensures that every team member understands their role, embedding security into everyday workflows [24].
While fostering a culture of vigilance is essential, healthcare organizations also rely on technology to scale these efforts effectively.
Using Automation with Human Oversight
A security-first culture lays the groundwork, but combining automation with human oversight enhances risk management efficiency. Healthcare organizations handle massive amounts of risk data, requiring speed without sacrificing the nuanced judgment that human oversight provides.
Human-guided automation strikes this balance. For instance, Censinet AITM enables vendors to complete security questionnaires in seconds while maintaining human oversight at key stages [21]. The system summarizes vendor evidence, captures product integration details, and generates risk summary reports. Risk teams remain in control through customizable rules and review processes.
This approach is critical as healthcare organizations face increasing pressure to respond to threats swiftly. The rise of ransomware attacks and the rapid adoption of AI technologies demand faster, more effective solutions [21].
Automation functions like an "air traffic control" system, directing critical risk findings to the right stakeholders for quick review [21]. Multidisciplinary oversight committees - comprising clinicians, IT experts, legal advisors, and ethicists - further strengthen risk management. These committees conduct performance audits and ensure adherence to policies emphasizing safety, transparency, and accountability [25].
Responding to New Cyber Threats
Maintaining trust requires constant vigilance. The healthcare sector faces a rapidly evolving threat landscape, with attackers using increasingly sophisticated methods. In fact, 58% of respondents identified phishing as the cause of their most significant security incident [29]. Additionally, many operational systems are vulnerable, including 77% of hospital information systems, 72% of imaging devices, 35% of clinical IoT devices, and 30% of clinical lab devices [28].
Adopting a Zero Trust approach is one way to combat these threats. This model requires verification for every access request, ensuring that even internal users are not automatically trusted. The Colonial Pipeline breach serves as a cautionary tale - hackers gained access using a compromised password, underscoring the importance of strong password policies and multi-factor authentication [27].
Conclusion: The Case for Trust-Based, Risk-Informed Innovation
As we’ve seen, the future of healthcare hinges on a secure, trust-centered approach. Trust is the backbone of meaningful healthcare innovation - without it, even the most advanced technologies can become liabilities instead of assets.
The stakes couldn’t be higher. Healthcare data breaches are among the most costly across industries [3]. However, organizations that prioritize proactive strategies have seen impressive results. Take Ochsner Lafayette General, for instance: they reduced incident follow-up times by 80% and lowered patient falls by 60%, leading to significant savings through avoided risks [31].
"As a physician and an expert in the patient experience, I'm well aware of the privacy and security concerns surrounding health data. For patients especially there are a lot of unknowns when it comes to talking about their health data. They may hear about data breaches at their local hospital or health system – or even receive notice that their data has been potentially exposed – and wonder how secure their health data is and whether anything is being done to better protect it and them."
- Dr. James I. Merlino, Chief Innovation Officer, The Joint Commission [30]
When patients doubt the security of their data, they may withhold vital information or avoid seeking care altogether. For this reason, healthcare organizations must treat cybersecurity as a core element of patient safety and enterprise risk management - not as an afterthought [3].
Moving forward, balancing innovation with accountability is non-negotiable. While most U.S. hospitals now export patient data for reporting [30], these capabilities must be underpinned by strong safeguards that comply with HIPAA and uphold patient rights. Such safeguards represent the next step in the evolution of risk-aware practices.
The answer lies in risk-informed innovation. By adopting robust incident response systems, advanced threat detection, continuous staff training, and human-guided automation, healthcare organizations can not only fend off cyber threats but also sustain their drive for progress [32]. The goal is to build systems where security serves as a catalyst for innovation rather than a barrier.
Building trust takes time and effort. But investing in it today will shape the healthcare landscape of tomorrow. With stolen health records fetching up to 10 times the price of credit card numbers on the dark web [27] [3], there’s no room for complacency. A trust-based, risk-informed approach is not just a strategy - it’s a necessity for the future of healthcare.
FAQs
What are risk-informed strategies, and how do they support secure innovation in healthcare?
Risk-informed strategies in healthcare cybersecurity center around pinpointing, evaluating, and tackling risks based on how much harm they could cause. By focusing on the most pressing threats, these strategies help safeguard sensitive data while still allowing room for technological progress.
When healthcare providers incorporate these risk-based approaches, they can embrace new technologies with confidence, encourage teamwork across departments, and reduce potential weak spots. This approach ensures that security efforts support operational objectives, paving the way for safer and more efficient improvements in patient care.
How do ransomware attacks and IoT vulnerabilities affect patient care and trust in healthcare systems?
Ransomware attacks have the potential to bring healthcare services to a standstill, interrupting operations, delaying critical treatments, and endangering patient lives. Beyond the immediate impact, such incidents can erode trust in healthcare systems, leaving patients to question whether their care is secure and dependable.
In a similar vein, vulnerabilities in IoT devices can open the door to sensitive patient data breaches, disrupt the performance of essential medical equipment, and interfere with healthcare workflows. These threats not only jeopardize patient safety but also make people hesitant about embracing digital health technologies. Tackling these issues is crucial to preserving trust and ensuring that patient care remains both safe and effective.
Why is a security-first culture essential for protecting healthcare data, and how can organizations build it effectively?
A security-first culture is essential in healthcare, where safeguarding sensitive data is not just a priority but a necessity. This approach minimizes the risk of data breaches and builds trust in the systems that manage patient information. It’s about fostering shared responsibility, maintaining ongoing awareness, and staying proactive against cybersecurity threats.
Here’s how healthcare organizations can establish this mindset:
- Leadership commitment: Leaders need to set the tone by prioritizing security and demonstrating its importance through their actions.
- Employee education: Regular training equips staff with the knowledge to identify and respond to potential security risks.
- Defined accountability: Clearly outline roles so every team member knows their responsibility in protecting sensitive information.
- Cross-team collaboration: Encourage open communication and teamwork across departments to strengthen security measures.
- Integration with objectives: Weave security practices into the organization’s goals, ensuring progress and innovation don’t come at the expense of safety.
By embedding these principles into daily operations, healthcare organizations can protect critical data while enabling secure advancements in their field.
Related posts
- 5 Challenges in Healthcare Cyber Risk Management
- Building Battle-Tested Resilience: ERM Lessons from Organizations That Weathered Recent Crises
- The Dynamic Cybersecurity Risk Register: Essential Components for Real-Time Threat Management
- “The Tools, Skills, and Mindsets That Will Define Risk Teams in the Next 5 Years”
