Getty Images

Navigating The Highly Saturated Healthcare Cybersecurity Market

With a highly saturated healthcare cybersecurity market, healthcare organizations may find it difficult to choose vendors and make investment decisions.

As cyberattacks increase, the healthcare cybersecurity market is being inundated with new vendors and solutions. Navigating the highly saturated healthcare cybersecurity market can be difficult, especially with a limited budget and a vast amount of protected health information (PHI) to safeguard.

“There’s a dizzying array of new cybersecurity vendors,” Michael Carr, CTO at Health First, a fully integrated health system in Florida, noted in a previous interview with HealthITSecurity.

“There are a lot of innovative technologies out there, but do they scale? Do they solve more than one problem?”

Healthcare organizations must weigh the benefits associated with engaging a variety of different cybersecurity vendors that each address very specific needs versus the risk of leaving gaps in the organization’s cybersecurity architecture.  

“If I bring in a new solution to solve every single problem, at some point that’s not scalable,” Carr noted.

Along with scalability, organizations should also be wary of the fact that each new third-party vendor comes with its own set of cybersecurity risks, even if their solution aims to mitigate those same risks. It is extremely important to vet third-party vendors before signing contracts and consistently conduct third-party risk assessments internally or via an independent assessment agency.  

The American Hospital Association (AHA) is actively aiming to ease the burden on healthcare organizations through its AHA Preferred Cybersecurity Provider (APCP) Program.

“One of the most consistent concerns we have heard from our hospital cybersecurity professionals is that they are inundated with constant solicitations from thousands of cybersecurity firms, all claiming to have the ‘most unique and best’ solution or technical tool for every conceivable facet of cybersecurity,” John Riggi, senior advisor for cybersecurity and risk at the AHA, told HealthITSecurity

“The goal of this program was to help our members distinguish the signal from the noise by identifying trustworthy and accomplished cybersecurity firms that can truly help our members and provide excellent value.”

The program was founded in Spring 2021 and now includes 8 carefully selected vendors: BlueVoyant, Critical Insight, Aon Insurance, Cylera, FTI Consulting, Medigate, Palo Alto Networks, and cyber incident response vendor [redacted].

To qualify as an AHA-approved provider, each vendor had to go through a vetting process and demonstrate quality service. The AHA will continue to require customer satisfaction reviews from each vendor in order to remain a preferred provider.

These vendors provide various solutions across the healthcare cybersecurity space, including incident response, medical device visibility, cyber insurance, and vulnerability scanning solutions.

The existence of this program speaks volumes about the current state of the cybersecurity market. Not only does it address the influx of new vendors into the market, but it also points to the increasing need to protect health data from bad actors as cyberattacks continue to overwhelm the healthcare sector.

“As high impact ransomware attacks continue to occur and disrupt patient care on a regional basis, the quality and depth of an organization’s cross-function cyber incident response plan is critical to ensuring a swift and effective response to contain the attack, minimize damage, and enable a speedier recovery,” Riggi emphasized.

“We have seen time and again that the cyber incident response plan is the lynchpin during a cyberattack.”

Along with a comprehensive cyber incident response plan, healthcare organizations should prioritize vulnerability scanning, endpoint security, and defense in depth strategies. As the vendor market continues to grow, Carr predicted that healthcare organizations will take a different approach to cybersecurity.

“I think we are going to see a change in how we invest in information security and cybersecurity,” Carr previously predicted.

“We have to get smarter about how we work with these vendors and ask: with this increase in security spending, is the business getting a return? And I don't think we can answer that in most cases.”

Navigating the highly saturated cybersecurity market is an overwhelming task for any healthcare organization. Doing so with the help of industry experts and a deep understanding of the organization’s specific security needs can help healthcare organizations mitigate risks and choose trustworthy vendors.

Next Steps

Dig Deeper on Cybersecurity strategies