April 2023 – The Journal of Healthcare Contracting
By Todd Ebert, R.Ph., President and CEO of the Healthcare Supply Chain Association (HSCA)
At the present time, it seems as though no one in the healthcare industry is immune to cybersecurity incidents. Public and private sector entities continue to call attention to the risks posed by data breaches and other cybercrimes. Not only do these events impose significant costs on healthcare providers, but they can also result in unauthorized parties gaining access to confidential patient information. According to IBM’s 2022 Cost of a Data Breach Report, the cost of a data breach in the healthcare industry increased 42% since 2020. In 2022, the average cost of a breach in the healthcare industry was $10.10 million – the highest average cost of any industry. Unfortunately, this is the status quo: the healthcare industry has maintained the highest average cost for the past 12 years.
Healthcare providers and the patients they serve can’t afford to be the victims of a cybercrime. Many providers also can’t afford to proactively address their vulnerabilities. The healthcare industry struggled in 2022, with many experts calling it one of the worst operating income years ever. Dozens of major health systems reported losses last year, due in part to rising expenses and poor performance in financial markets. Labor shortages are just one of the factors increasing costs for the industry, along with increased investment in cybersecurity. Investing in cybersecurity is both costly and labor-intensive, creating additional burdens for providers and health systems.
The post-pandemic world has also increased the number of cybersecurity vulnerabilities that healthcare providers must account for. The COVID-19 pandemic, which saw many employees shift to remote work and a spike in the use of telehealth, caused a rapid change in technology and data sharing, according to Healthcare Supply Chain Association member GPO Provista. Remote work can also make healthcare employees more susceptible to phishing, a type of cybercrime in which a fraudulent email is disguised to look like it’s from a reputable or known company or sender. Phishing is designed to steal data or compromise an organization’s security – both of which are significant vulnerabilities for healthcare providers.
Healthcare group purchasing organizations (GPOs) can help ensure that healthcare providers have access to the most effective cybersecurity protection at the best cost. Many GPOs partner with IT suppliers and experts who have proven solutions that identify and prevent cybersecurity incidents. Maintaining device and information security is a shared responsibility of the manufacturers and suppliers of connected devices and services, as well as the healthcare delivery organizations (HDOs) that use them. The Healthcare Supply Chain Association (HSCA), which represents leading healthcare GPOs, assembled key cybersecurity considerations and recommendations for medical device cybersecurity terms and conditions. HSCA encourages all stakeholders to evaluate their cybersecurity practices with the goal of protecting patient care and strengthening the industry as a whole.
GPOs have delivered critical cost-savings to hospitals and healthcare providers for more than a century. In this high-stress and high-cost time for providers, the services and scale of healthcare GPOs are more important than ever. HSCA and its member GPOs are committed to expanding their offerings in cybersecurity and other areas to meet the needs of healthcare providers while continuing to help them access products and services at the best value.