It is well known that information security, if it is to be treated properly, is not a low-cost endeavour. From the management perspective, it often seems that the organisation’s budget may be better spent on areas directly related to its core business, i.e. provision of healthcare. The cost of securing information was integrated in the ICT budget, and it was typically marginalised and overlooked. On the other hand, historically, most ICT systems were used to facilitate mainly administrative tasks, and direct threats and risks to patients were minimal.
As the digitisation of healthcare advances and healthcare becomes more connected, services become data-driven and with increased dependency on the availability and proper functioning of the ICT infrastructure. This significantly increases the cost of any malfunction, let alone of malicious action aimed at those devices and systems. Furthermore, the trend of wearables and home-used medical devices is on the rise, and thus the amount of information processed digitally and the reliance on ICT in the actual provision of healthcare services will further increase dramatically.
In the past, information security was mostly intangible, and it was quite hard to calculate the benefit gained or, at least, the cost savings of securing information in healthcare organisations. This task has become much easier, as one can simply calculate the cost of downtime of a crucial process such as a CT or MRI scan, as well as the cost of failure of the laboratory information system. Therefore, the cost of information security can be compared to the cost of its absence. There are direct impacts to the bottom line of the healthcare provider implied in any of those cybersecurity incidents, regardless of the root cause of the failure. And these are just the direct cost and losses of doing business.
There are reports of health organisations that, after suffering cyberattacks in the past years, such as ransomware and phishing attacks, have stopped regular operations after data was stolen, encrypted or deleted. A very well-known example of these cyberattacks is the so-called ransomware WannaCry which, on 12th May 2017, shut down hundreds of thousands of computers around the world, followed by messages from hackers demanding ransom payments, as a result of a phishing attack and lack of operating system upgrade. In the United Kingdom National Health Service, this attack caused disruption of several healthcare services, with approximately 20,000 appointments being cancelled, costing £20m over the course of a week and more than £70m in the subsequent clean-up and upgrades to IT systems (1).
Failure to provide sufficient information security may of course have very dire implications to the healthcare organisation. One must not forget that the penalties and lawsuits related to either personal data breaches or malpractice related to poor information security will increase dramatically in coming years and have to also be taken into account.
To illustrate this, there are many variables that affect the cost of downtime, and they are not easily quantified. The cost of downtime depends on the type of organisation, the event that causes downtime, and indirect costs that will come from downtime; however, a simple exercise can demonstrate that the cost can be very high: How many doctors’ appointments will be cancelled if we have an hour, a day, or a longer period of downtime? How many surgical procedures will be cancelled for a specific period of downtime? How many hours of labour will be lost?
For example, the unavailability of critical services will entail costs related to the impact on citizens’ and patients’ rights and freedoms. Making information unavailable due to information security flaws may ultimately serve as an argument that underlies the concept of data breach within the scope of the GDPR, which will consequently lead to costs related to investigations, costs of producing justifications and evidence to supervisory authorities, and may finally motivate the imposition of heavy fines under that European law.
There are also indirect costs, such as loss of reputation: if systems go down, organisations cannot meet their commitments. Re-doing work is another indirect cost, that is most of the time linked with loss of data which sometimes may not be recoverable.