5 Cybersecurity Lessons from 2022

Reflecting on an unprecedented year of digital threats in health care

November 15, 2022

In January, I implored our readers to make cybersecurity their 2022 health technology priority.

But even with the benefit of hindsight, it’s hard to believe how big a year this has been in health care cybersecurity.

Hospitals and health systems always have been caretakers for patients and their sensitive personal information, but this year has tested us like never before. We’ve read countless headlines and emergency sector notices about new digital threats, and they serve as a reminder of the work ahead.

As we approach the New Year, here are five cybersecurity lessons I’m taking with me.

1. Preparing for a global threat

Events around the world can make a significant impact at home.

During February, this was especially true, as we considered the downstream effects of the conflict between Russia and Ukraine. For hospitals, it was another reminder that we must bolster our posture against the bad actors who want to cause disarray.

As health care becomes more digitally connected, we know our industry becomes an even larger target for those who want to cause disruption on a global scale.

2. Broader Trends

The costs associated with cyberattacks are only growing. A report from earlier this year noted that the average ransomware payment from the 2021 fourth quarter was $322,168, a 130 percent increase from the third quarter.

The growing scope and scale of cybercrimes provides us with another reminder of the stakes at hand. Failing to improve our cyber posture will strain our hospital operations and finances.

3. Legislative action

A few months ago, I noted the growing list of initiatives that have emerged to strengthen cybersecurity for medical devices, supply chains, and other crucial information systems. These legislative policies will help shape how we prepare, respond, and report cyberattacks in the future.

As we head into 2023, I’m confident we will continue to see regulatory and legislative action to address the digital threats we face.

4. Be informed

We know that being informed is the first step in our situational awareness. You can’t prepare for what you don’t see. That means following threat briefs, sector alerts, and other crucial updates from the Health Sector Cybersecurity Coordination Center, CISA, and other official sources.

We all receive thousands of pieces of information every day, but we must make these alerts a priority within our organizations.

5. Taking action

Finally, we can take preventive action. A strong cyber posture includes these bedrock principles:

• Maintain offline, encrypted backups of data and regularly test your backups
• Conduct regular scans to identify and address vulnerabilities
• Regularly patch and update software and operating systems
• Train your employees regarding phishing and other IT attacks

I can’t predict the future, but I know we have to remain vigilant. With cybercrimes getting more complex, we must stay ready for the challenges to come.

If you’d like to know more about how you can bolster your cybersecurity, contact Jason Tomashunas, MS, CHEP, HAP manager, emergency management. John Riggi, the AHA’s senior advisor for cybersecurity and risk, also offers coverage and resources about health care cybersecurity.