Cybersecurity as a Strategic Imperative to Protect Patient Safety in Health Care

Cybersecurity is critical for protecting patient safety and privacy in health care, according to John Riggi, senior advisor for cybersecurity and risk at the American Hospital Association.

“Health care organizations continually face evolving cyberthreats that can put patient safety at risk,” emphasized Riggi. “That’s why I advise hospital C-suite and other senior leaders not to view cybersecurity as a purely technical issue falling solely under the domain of their IT departments. Rather, it’s critical to view cybersecurity as a patient safety, enterprise risk and strategic priority and instill it into the hospital’s existing enterprise, risk-management, governance and business-continuity framework.”

Health care systems are particularly vulnerable to cyberattacks due to the high value of data they store, including protected health information (PHI), financial details, personal identifiers, and intellectual property. This data is valuable not only to cybercriminals but also to nation-state actors. Stolen health records can fetch up to 10 times more than stolen credit card information on the dark web, making health systems attractive targets. Furthermore, the cost of remediating a health care data breach is disproportionately high, averaging $408 per record—nearly 3 times the cost per record in other industries.

Cyberattacks can significantly disrupt patient care by compromising access to electronic health records and vital medical devices. For instance, the 2017 “WannaCry” ransomware attack on Britain’s National Health Service led to ambulances being diverted and canceled surgeries. Similar disruptions have occurred in the US since, putting patient outcomes at risk when hospitals lose access to critical systems and data.

To protect against such risks, Riggi advises health care leaders to treat cyber risk as a strategic issue and to appoint a dedicated information security officer with authority and independence. Regular updates on cyber risk should be provided to senior leadership, ensuring that the organization’s defenses remain responsive to evolving threats.

“A culture of cybersecurity, where the staff members view themselves as proactive defenders of patients and their data, will have a tremendous impact in mitigating cyber risk to the organization and to patients,” Riggi said.

By fostering a mindset where all staff see themselves as guardians of patient data, health care organizations can significantly enhance their resilience against cyber threats. In Riggi’s view, this alignment between cybersecurity and patient care not only protects patients but also reinforces trust in the health system and its commitment to safety and privacy.

Reference

AHA Center for Health Innovation. The importance of cybersecurity in protecting patient safety. Accessed November 4, 2024. https://www.aha.org/center/cybersecurity-and-risk-advisory-services/importance-cybersecurity-protecting-patient-safety