Healthcare’s 5-year Cyber Outlook: Predictions with AHA

If last year’s WannaCry attack proved anything, it’s that healthcare has a growing ransom problem.
But in an industry charged with handling the most valuable data on the black market—personal health information (PHI), personally identifiable information (PII), payment information, medical research, and intellectual property—it’s not people being held hostage for ransom, it’s their data.

The result has been a rising number of data breaches per year. In the U.S. alone, healthcare organizations saw nearly 290 large-scale data breaches (those impacting 500 or more individuals) last year, according to the U.S. Department of Health & Human Services. About 44 percent were as a result of hacking or other IT incidents.
So far in 2018, there have been 30 large-scale breaches reported (as of Feb. 20), and about 36 percent were because of hacking or other IT incidents.

Hospital CEOs and other leaders feel uneasy about the potential for future attacks. According to data featured in our article in Futurescan 2018-2023: Healthcare Trends and Implications, a publication of the Society for Healthcare Strategy & Market Development of the American Hospital Association:
  • About 83 percent of hospital CEOs and other leaders believe it is at least somewhat likely that a hospital or health system in their service area will experience a cyberattack involving the theft of patient data from a cloud services provider in the next five years.
  • More than half (51 percent) predict that it is at least somewhat likely that a hospital or health system in their service area will have experienced a cyber breach that interferes with critical medical systems and causes physical harm to one or more patients in the next five years.
What can organizations do to mitigate the growing cyber threat? A well-designed cybersecurity program should include the following:
  1. A risk-based, threat-driven patch management program. Organizations should be able to identify system vulnerabilities and implement patches quickly.
  2. Continuous threat monitoring. Threat monitoring and analytics tools should detect an attack, and investigative and digital forensic capabilities are important to understanding what went wrong and the extent of the damage.
  3. A crisis communications plan that includes internal and external communications. This should be aligned with an existing enterprise risk management framework.
  4. Cyber insurance claims preparedness and adequate coverage. Incurred event response costs for inclusion in an insurance claim should be identified and quantified.
  5. Education and awareness programs. The best line of defense against cyber threats—people—are also unfortunately oftentimes the weakest link. All individuals with access to an organization’s networks, medical devices, and data need to understand their roles and responsibilities in defending against cyber threats. Creating a top-down culture of cybersecurity will make organizations—and most importantly, patients—much safer.
  6. An incident response plan. An up-to-date, frequently exercised cyber incident response plan should include the participation of organization leadership and key personnel from all technology, business, administrative, and clinical functions. That is critical to an effective response when—not if—a cyber incident occurs.
Want to learn more? Read our full article in Futurescan 2018-2023: Healthcare Trends and Implications.
Excerpts from Futurescan 2018-2023: Healthcare Trends and Implications were reproduced within this blog post with permission from the Society for Healthcare Strategy & Market Development.

Patrick Pilch is the national leader of The BDO Center for Healthcare Excellence & Innovation. He can be reached at

John Riggi is the senior advisor for Cybersecurity and Risk at the American Hospital Association. He can be reached at He previously worked at BDO as head of its Cybersecurity and Financial Crimes practice.