How Hyland helps healthcare organizations improve cybersecurity

Healthcare organizations, which possess a plethora of information that is valued by cyber thieves and nation-state actors, are particularly vulnerable to cyberattacks.

According to statistics compiled by the HIPAA Journal, an average of 1.99 healthcare data breaches of 500 or more records were reported each day in 2023. The 725 total attacks in 2023 were 96% higher than the 2018 tally and marked the eighth consecutive year in which the number of data breaches increased.

“The scary thing is, we haven’t really had a period where they’ve been on the decline,” Hyland Director of Cybersecurity Dylan Border said.

The average cost of a breach reached an all-time high of $4.45 million in 2023, according to IBM Security. In the healthcare industry, the norm was a staggering $10.93 million. The average cost of a healthcare breach has increased 53.3% since 2020, and the industry’s 2023 average was $5.03 million ahead of the next-most-vulnerable industry (the financial industry, at $5.9 million).

Much more important than the numbers, though, are the impacts that cyberattacks can have on patient safety and the ability of healthcare organizations to provide uninterrupted care delivery. By failing to keep patient records private, healthcare organizations also face potential harm to their reputation and could incur substantial penalties.

How can healthcare organizations better protect patient data? What should they do if they’re attacked? Border and Dan Dennis, Hyland’s chief information security officer, provide answers.

Best practices for cybersecurity in healthcare

“It all boils back to good security and IT hygiene,” Border said on the Health Innovation Matters podcast.

Here are 10 high-level tips from Hyland’s cybersecurity experts.

It starts at the top

“Having leadership support is critical to success,” Dennis said.

Educate your users

“This is an absolute need. This is not an optional factor,” Border said.

According to IBM Security’s research, the average cost of a data breach for organizations with high levels of employee training was $3.68 million. The norm was $1.5 million higher for organizations with low levels of employee training ($5.18 million).

> Learn more | Webinar: Hyland, Northwell Health and Texas Children's Hospital experts discuss how help desks can fend off the latest wave of cyberattacks.

Multifactor identification

“During a phishing scam, when an attacker goes to use the credentials that they’ve successfully harvested from you, you’ll get that prompt, and that will be your key to not actually log into that service right now,” Border said.

Know your vulnerabilities

Examine your external vulnerabilities and internet footprint. If there are any weaknesses, attackers will be ready to exploit them.

“If we’re talking about one area where healthcare really is lacking, I think it’s around vulnerability management,” Border said.

Be proactive

“Your people are going to be your weakest link,” Dennis said. “They need to know how to identify attacks, how to report attacks and what to do in those types of attacks.”

Different levels of control

“You’ll want to have different levels of technical controls across the organization,” Dennis said.

This can include email filters, antivirus and malware protection, and other measures to block entry points.

Limit administrative rights

Providing such access only where it’s “absolutely required” can significantly limit the risk of attacks, Dennis said.

Constantly monitor your environment

“You want to make sure you have offline encrypted backups and you’re regularly testing those backups,” Dennis said. “That way, you can react quickly and react accordingly when you’re attacked.”

Third-party reviews

Getting an outsider’s assessment of your network can identify risks that you might not have seen during internal reviews.

View it as a business enabler

Cybersecurity is no longer a “check-the-box function,” Dennis said. Understand its importance and the leadership support it requires.

First, we’ll address the obvious: “The No. 1 thing would be don’t make this the first time you’ve considered it,” Border said.

Have a response plan in place

“Ideally, you would have thought about a response plan, business continuity and disaster recovery efforts, what your company can and can’t do during a ransomware attack,” Border said. “If you have considered it, you should be executing those plans.”

Accountability is key

From here on out, every minute is valuable, and having clear marching orders is crucial.

“Make sure your key responders and key personnel are educated on who is accountable for what actions and what they’re required to do,” Dennis said.

Ask for help

“Hopefully, you have security partners and consultant groups that you’re already working with. Leverage those minds right away,” Border said.

U.S.-based companies can also enlist the help of the FBI and the Cybersecurity & Infrastructure Security Agency (CISA). (This CISA mitigation guide offers best practices to combat pervasive cyber threats.)

Think about your backups

“If you have an understanding of what the ransomware has exploited, what types of systems and data and patient records it’s taking, do you have backups of that? Is it feasible to recover what you believe has been exploited?” Border said.

How did it happen?

“Do you know how they came in? Because if you don’t and you start mitigation and recovery and deleting laptops and servers and then bringing it back online, if you haven’t plugged the hole, without a doubt it will spread right back to the new things that you’re bringing online,” Border said.

Be transparent

“Having an open line of communication with all of your partners, all of your vendors, is really essential,” Dennis said. “Working together is what’s going to ensure success.”

As healthcare organizations upgrade their tech stack, cybersecurity should be top of mind.

“What is their software development life cycle? What is their patching process? How do they support you?” Dennis said.

Getting answers to your questions will help you make a more informed decision. Keep in mind, though, that “nothing is perfect” in cybersecurity, Dennis said.

All of which is why transparency is so important.

“These well-known industry leaders that have a reputation for transparency, in my opinion, are always good ones to look at first if they provide a solution in the market (that you’re looking for),” Dennis said. “Knowing that a company by design thinks of security transparently just might be the thing that tips them over the edge in terms of your business decision.”

Hyland’s intelligent content solutions are designed to detect and combat cyber threats effectively, with protection measures such as encryption, permissions, risk management and retention, and selected access and approval processes.

The power of the cloud

Migrating content to the cloud can alleviate some of the challenges healthcare organizations confront as they attempt to keep up with ever-changing cybersecurity threats and privacy regulations. The Hyland Cloud allows organizations to quickly scale to their needs while supporting security and compliance requirements.

The Hyland Cloud also provides an average uptime of 99.99%, making an organization’s data available whenever and wherever it’s needed.

10 benefits of moving to the Hyland Cloud

• Secure data hosting structure

• Encrypted in-transit connections

• Built-in redundancy

• Data replication

• Disaster recovery

• Ongoing penetration and vulnerability testing

• Increased agility

• Seamless integration with content services

• Time and cost savings

• Decreased burden on staff

Baptist Health — a Louisville, Kentucky-based health system with nine hospitals, nearly 23,000 employees and 1,500 employees — shifted from an on-prem deployment to the Hyland Cloud.

“We are more secure in the cloud than we were on-premises,” Corporate IT Manager Mitzie Dodge said. “It’s just comforting and you sleep better at night.”

Bon Secours Mercy Health — one of the five largest Catholic health systems in the U.S. — moved more than 700 million documents to the Hyland Cloud.

“Prior to the move to the cloud, our system was a little unstable,” IT Strategic Partner Julie Januski said. Now, the health system is “in a much more stable place than we were prior,” she added.

Endeavor Health — a nine-hospital health system with more than 27,000 team members and 1.3 million patients — is attacked 1,500 times an hour, System AVP Eric Merchant said.

“Thank God that nobody has penetrated our systems,” he added. “The side benefit of the cloud with (Hyland and) AWS is that they are constantly optimizing security on a daily, weekly and monthly basis, and we are getting the benefit.”

That’s why Bon Secours CIO Mike Hibbard talks about the “CIO ROI” that comes with cloud transitions.

“I could sleep better at night knowing that Hyland has our back on security, on patches, on monitoring,” Hibbard said.

Does your healthcare organization have “good security and IT hygiene?”

Hyland can help.