Top Tips for Creating a Cybersecurity Budget in Healthcare

Top Tips for Creating a Cybersecurity Budget in Healthcare

Photo Attribution: Ink Drop/

The healthcare industry will forever be the target of cyberattacks due to the array of information included in the healthcare record.

With this in mind, the need for cybersecurity is not going away. It is becoming a more predominant focal point in the industry, as you will see shortly. If your organization is struggling to justify the financial cost of adding cybersecurity to yearly budgets, consider asking yourself the following questions:

  • Why do you, and other key stakeholders, think that cybersecurity is a good investment?

  • What is the potential cost of a cyberattack against your organization?

  • How will you determine how much to spend on cybersecurity?

A recent HIMSS Cybersecurity Survey paints a proactive picture, demonstrating that healthcare organizations recognize the importance of funds for cybersecurity. Based on the feedback from 168 US-based health information security professionals, it was found that "advances are occurring in healthcare cybersecurity practices and healthcare organizations appear to be allocating more of their information technology budgets to cybersecurity." Has there been a renewed focus placed on cybersecurity amongst healthcare organizations, IT leaders, and employees in the field? It would seem so. If you are looking to incorporate cybersecurity into your yearly healthcare-related budget, continue reading for some tips.

Barriers to cybersecurity action

While healthcare organizations may want to elevate their cybersecurity protocols, several barriers can impede that from happening. Perhaps the largest being a lack of resources. What do "resources" refer to here? In most cases, finances. Organizations may not have adequate funds to develop a cybersecurity budget, while in other cases, funds are available but not adequately distributed to cybersecurity activity.

In the United States, healthcare organizations and providers are required to comply with the provisions of the Health Insurance Portability and Accountability Act (HIPAA) of 1996. HIPAA includes guidelines for the handling of patient information across a variety of platforms ranging from spoken words to electronically stored data. Stringent HIPAA requirements may also play a role in a lack of action with regard to developing and enforcing cybersecurity protection measures. Not all organizations have the personnel or finances to develop plans that would pass a HIPAA audit. Though it may be difficult, it is necessary to avoid lost data, fines, a damaged reputation, and potential jail time.

Why is it important to budget for cybersecurity?

Budgeting for cybersecurity is more than just protecting against cybercriminals. There are other implications related to day-to-day business operations. Some of the reasons healthcare organizations should consider budgeting for cybersecurity include:

  • Implementing proper security programs to monitor, isolate and remove threats, both internal and external

  • Vendor requirements that are important to obtaining contracts or fulfilling the duties of an agreement

  • To comply with regulations set forth by the General Data Protection Regulation (GDPR) in Europe, HIPAA in the United States, as well as other local and federal requirements

Approaches to cybersecurity budget planning in healthcare

  • Reactive vs. Proactive: Creating a cybersecurity budget should be something thought of well ahead of time. Unfortunately, many organizations, including those in healthcare, are still reactionary in this regard. What does this mean? When a cyberattack occurs, organizations will react by spending money in the moment or the time shortly after to install new antivirus software, firewalls, and other related programs to quell the onslaught of attacks. This could be in the form of extra cash on hand or, it could be part of a dedicated 'emergency fund'. This approach is risky because once cybercriminals infect a system, it is often too late to reverse the action. A reactive approach is also difficult for smaller healthcare organizations and others who may have less free cash lying around. When you choose a reactive approach you may also be neglecting preventative security features prior to an initial 'reaction.'

  • Benchmark: Some healthcare organizations, especially those dabbling in cybersecurity budgeting for the first time, may find it difficult to understand where to start. This is where setting benchmarks can help. The IT department or those in charge of cybersecurity at your organization should look at industry peers, competitors, and other security teams to understand what their best practices are in this field. Once you determine the protections they have in place, it will be up to your team to determine its efficacy and whether you can improve on it or scale back. This process will help create a starting point and should provide a better idea of the general cost of the programs required.

  • Risk-Based: The risk-based approach is best suited towards large, more mature healthcare organizations. Similar to the benchmark approach, the risk-based approach takes things one step further, assigning levels of risk to different parts of the organization rather than blanket protection. This can help an organization save money by not over-investing in a particular area while at the same time not under-investing to the point where there are gaps in protection. This approach will involve lengthy discussions among the IT team and management concerning the level of acceptable risk per each area considered for coverage.

Other important budget considerations

When looking at implementing a cybersecurity budget in healthcare or updating an existing one, consider the following as well:

  • Compliance: Does the organization comply with all federal and local regulations? (i.e. HIPAA)

  • Ongoing risk assessments: The landscape of cybersecurity is constantly evolving. Is there enough budget to conduct regular risk assessments?

  • Training: Similar to the above point, staff should be aware of all the latest trends in cybersecurity at your organization. Be sure to leave room in your budget to conduct regular training/update sessions.

  • Expanded/updated service: If your healthcare organization is looking to update current services offered or add new ones, how will that affect your cybersecurity position? Do more levels of protection need to be added?

The bottom line: Always make room for cybersecurity in your yearly budget

Cyberattacks can occur at any moment. An attack could be unfolding right now, and you may not even know it. In the healthcare industry, there are strict guidelines to follow, such as those set out by HIPAA in the United States. In addition, protecting the loss of sensitive patient data should always be top of mind. To protect your organization and its data from bad actors, both internal and external, we recommend taking a proactive approach to developing a cybersecurity budget for healthcare. With this approach, you will be prepared in case of a cyberattack, allowing you to react quickly or stop an attack altogether.

Recommendation: A proactive approach to cyber security budgets means understanding the mindset of a cybercriminal and then building a strategy around that approach.