Introduction

The healthcare sector is changing dramatically thanks to the rise of digitalization. More information than ever is migrating from paper to electronic form, driven by process automation, artificial intelligence, telehealth and the remote monitoring of medical devices.

This rapid evolution has created a torrent of data. According to the World Economic Forum, hospitals produce 50 petabytes of data each year.

As in other sectors, digitization in healthcare brings both opportunities and challenges. Larger volumes of digitally stored data—much of which is highly sensitive—can make cyberattacks more likely. The U.S. Department of Health and Human Services (HHS) documented 5,150 reported healthcare data breaches of over 500 records between 2009 and 2022, with more occurring in 2021 than ever before.

According to Claroty’s survey of 1,100 cybersecurity, engineering, IT, and networking professionals who work full-time at healthcare organizations, 77% of European healthcare professionals reported at least one cybersecurity incident between June 2022 and June 2023, while 29% said that personal identifiable information (PII) was affected. In APAC, 69% reported at least one breach, with 26% reporting an impact on PII. In South America, 87% report at least one incident, with PII exposed in 24% of cases.

Globally, the situation was similar. Check Point Research saw a 74% increase in global healthcare attacks during 2022, with an average of 1,463 attacks per organization in the sector each week.

This data's sensitivity creates an acute information security risk for healthcare companies and their patients. It attracts numerous threats from criminal actors, including data theft and cyberattacks that can disrupt administrative systems and affect healthcare operations.

Fraud is also a big concern. Funds stolen through unauthorized system access affect the working capital needed to provide healthcare services. Malware and ransomware can cost millions by shutting down critical IT systems.

These risks represent big costs for hospitals. According to the 2023 Cost of a Data Breach report from IBM and the Ponemon Institute, the average cost of a healthcare data breach was $10.93m, compared to a cross-sector average of $4.45m. The cost of healthcare data breaches has increased 53.3% over the past three years.

With so much at stake, the risk of cyberattacks places more pressure on treasurers across the healthcare ecosystem to put cybersecurity and fraud prevention at the heart of their digitization and payments strategies.

These practices should follow the principles that already underpin mature cybersecurity efforts. This uses multiple levels of protection, spanning three key domains:

• Technology: Technology protections include network intrusion detection and prevention, identity and access management, and multi-factor authentication.
• Process: All processes should be tailored with security in mind. These include change management requests, least-privilege management, and the regular application of security patches.
• People: Effective cybersecurity relies on an engaged workforce. All users, including employees and contractors, should be aware of digital threats and the importance of cyber hygiene, especially surrounding threats like phishing, which attempt to trick users into revealing sensitive information.

Digital innovation and risk

Security concerns aren’t limited to the boundaries of a particular provider or manufacturer. The healthcare system is increasingly interconnected, which requires the extension of cybersecurity protections to partners such as vendors, clients, and suppliers. Large interconnected networks can increase an organization’s vulnerability and make them more likely to become a victim of cybercrime. Audits, controls, and risk management play a key part in inter-organization cybersecurity. Security must be consistent and dependent at all points along the way to protect the data that flows between these organizations.

Digitization in healthcare also involves more connected medical devices. The internet of medical things has evolved to incorporate many different technologies that support better patient outcomes. These include everything from automated insulin delivery systems to wearable devices that gather data on patient vitals, enabling hospitals to release patients for home care. All of these systems are ripe for cyberattack.

Digital payments are also increasingly common in healthcare, both for consumers through contactless payment options and in B2B payment scenarios. The complexity of the healthcare system expands the number of potential payment points, each of which creates another attack vector.

Security considerations specific to healthcare

Healthcare organizations, including insurers, face sector-specific cybersecurity challenges, especially under Health Insurance Portability and Accountability Act (HIPAA) regulations.

Companies in this sector must find a balance between meeting regulatory requirements while undergoing digital transformation. Regulators apply their restrictions with good reason, because the stakes are high when tackling cybersecurity in healthcare. The sector faces threats across several areas:

• PII: Healthcare operations are responsible for large amounts of personal information. This is a valuable target for hackers, who can use it for identity theft.
• Payment information: Financial data is a valuable asset for perpetrators of fraud and criminal groups. It can be used to make fake purchases, or cybercriminals could use hacked physician credentials and stolen patient lists to file illegitimate insurance claims as outlined in Deloitte’s report, The Looming Wave of Cyber Fraud in Health Care. Leveraging payments technology built with HIPAA compliance and cybersecurity in mind, like InstaMed, can help mitigate these risks.
• Business disruption: Denial of service attacks and ransomware pose acute risks for healthcare companies, who might find themselves returning to manual operation when compromised systems fail.
• Healthcare quality: Attacks on healthcare data and digital infrastructure can also affect patient care. Research into healthcare cyberattacks by security vendor Proofpoint found that 23% of organizations reported an increased mortality rate from cyberattacks.

There are plenty of resources available to healthcare companies that will help them to refine their cybersecurity protections. For example, the HHS 405(d) program provides guidance and links to help create a robust security framework.

Healthcare providers can also use third-party services to help secure their sensitive data. Healthcare Link is one such service. This digital lockbox from J.P. Morgan images paper-based bill and remittance documents, using artificial intelligence to derive actionable data that feeds payment systems. Healthcare Link provides a secure mechanism for healthcare organizations to store and access this critical business information while remaining HIPAA compliant.

Globalization, innovation, and regulation

HIPAA is just one example of healthcare-related regulations that place extra pressure on organizations as they strive for efficient operations in this sector. They must balance innovation with a global patchwork of data security guidelines, regulations, and policy initiatives focused on maintaining data and process safety.

Examples of cybersecurity policy initiatives in the US include the Healthcare Cybersecurity Act of 2022, proposed legislation resulting from collaboration between HHD and the Cybersecurity and Infrastructure Security Agency (CISA). Another is the CDC's 2020 healthcare Data Modernization Initiative.

Policies and regulations in the EMEA region are even more complex, layering bloc-level initiatives atop country-specific regulations. For example, the EU has a Medical Device Regulation and has proposed creating a Health Data Space for security purposes. EU healthcare organizations must also contend with regional payments initiatives such as the Single Euro Payments area (SEPA), and the amended Payment Services Directive (PSD2).

The regulators producing these rules often struggle to keep up with fast-paced innovation in areas such as health IDs, payments, and telehealth. This innovation also includes "digital front doors:" healthcare portals that provide one-stop access to services and information throughout the healthcare value chain, as outlined in J.P. Morgan's Future of Healthcare Payments white paper.

Although exciting, products like these require more data exchange than ever, often between multiple healthcare operators and related services. This creates multiple points of vulnerability where attackers could steal data, misappropriate financial information, or affect system operations.

While regulation might make innovation more difficult, it’s also a crucial response to the growing cybersecurity threat, designed to protect healthcare operators and their patients.

In summary

There is always a danger that cybersecurity gaps might emerge in any industry that moves quickly to innovate. Healthcare, with its complex industry structure and reliance on highly sensitive information, is especially prone to this problem. The impact on healthcare payments and the opportunity for fraud are especially concerning, as attacks in these areas can bring critical healthcare processes to a halt, impacting patient care.

The solution isn’t to shy away from digital, but ensure it is done with embedded security across products, partners, and infrastructure.

To deliver improved, accessible, and cost-efficient care, it is essential to embrace digital transformation. A modernized payments infrastructure plays a critical role in achieving this future. The healthcare industry must adopt advanced payment technology in order to keep pace with end-to-end financial solutions. They must work with experienced partners to help them integrate payments into electronic health records platforms, develop cross-currency solutions, expand merchant services, and effectively manage liquidity.

J.P. Morgan has a variety of services and systems that can help healthcare providers to secure their payments, processes, and data. Contact us to find out how we can help.