It’s well known that ransomware is on the rise across industries. Healthcare organizations experienced more ransomware attacks than any other critical infrastructure sector last year, according to the FBI’s 2023 Internet Crime Report. Given the wide-reaching consequences and direct patient impact of such attacks, it’s become clear that investing in cybersecurity is a critical priority. This is particularly true of securing Microsoft infrastructure, including identity management systems like Active Directory (AD), a central permissions and authorization platform that forms the IT backbone of 90% of large companies and nearly all healthcare organizations — and a highly common ransomware target. 88% of Microsoft customers impacted by ransomware did not employ Active Directory and its cloud counterpart, Entra ID, security best practices, according to the Microsoft Digital Defense Report 2022.
These days, there is no question that protecting healthcare IT infrastructure is directly connected to maintaining patient care and investing in securing identity systems has never been more urgent. However, although identity infrastructure is a business-critical function, initiatives to protect these systems are often underfunded. Identity management is often viewed as ‘necessary plumbing’ that resides in the realm of IT in order to satisfy basic operational and compliance requirements. Effective communication between IT teams and the C-Suite — and between the C-Suite and the Board — is a key factor in securing the funds needed to invest in protecting critical IT infrastructure. But IT teams speak a very different language than C-level executives, and will need to bridge that gap to secure C-suite buy-in on these urgent investments.
The reasons for the urgency are crystal clear: ransomware attacks can impact every aspect of a healthcare organization’s ability to serve its patients, from being unable to access patient records and communication platforms to operating room shutdowns and lack of patient access to prescriptions. Providers are often forced to revert to manual operations, drastically slowing down critical processes and widening the margin of error. Furthermore, ransomware attacks lead to severe legal, financial and reputational consequences — and philanthropic donors are likely less than thrilled to learn that funds are being used to pay off ransoms rather than being invested in the organization.
Clear communication between IT teams and executive leadership is a central aspect of reducing cyber risk to patients and the organization. With the right information, the C-Suite can make informed decisions, secure much-needed funding, and equip IT teams with what they need to implement robust cybersecurity measures that protect doctors’ ability to provide care and patients’ ability to access it. Here are some best practices to get these important conversations going:
1. Take a storytelling approach.
“What happened to them could easily happen to us.” Start with illustrative, real world examples that paint a vivid picture of how cybersecurity and ransomware attacks have impacted other healthcare organizations. Tell the story from multiple standpoints – the patient perspective, the doctor perspective, IT, and leadership, to demonstrate the far-reaching implications of organizations leaving themselves vulnerable. Use industry statistics to prove that the stories you shared were not isolated incidents but a part of a real trend.
2. Speak in business terms.
The most important aspect of any communication is knowing your audience. To get the attention of C-level executives, think in terms of financial impact, ROI and achieving business objectives. Illustrate how reputational damage and operational costs associated with breaches will directly impact revenue and patient care. For example, should a ransomware attack take down a mid-size organization’s Active Directory, a single day of downtime can result in $1.5 million lost in labor costs alone — and without investing in a bullet-proof recovery strategy, recovering AD can take days or likely weeks. From there, demonstrate the concrete long-term ROI of avoiding such scenarios from an operational, financial, legal, and reputational standpoint.
3. Articulate your current infrastructure’s limitations.
IT teams must also help the C-Suite recognize that what they believe will protect them — i.e., their current disaster recovery set-up — may no longer be enough. Every minute matters when a ransomware attack shuts down the systems that doctors and patients depend on, and outdated disaster recovery strategies and systems often fall short in defending against major cyber attacks, leaving critical operations exposed to devastating consequences. Clearly communicating the state of your security defenses now vs. where they need to be will motivate the C-suite to take action.
4. And most importantly, start now.
When it comes to ransomware, it’s not a question of if, but when. Don’t wait until after the breach happens -– take a proactive approach, get the conversation started now and make it a continuous collaboration. Using real-world examples to show the consequences of such attacks on multiple levels will instill urgency. Demonstrate foresight by offering a clear plan of how the recommended investment will both prevent attacks and enable rapid recovery to reduce impact should attacks occur.
Rising cyber attacks on healthcare providers is a direct threat to patient well-being. Thankfully, modern identity management and disaster recovery strategies can enable the healthcare sector to both harden its identity security posture and make your core IT systems resilient. A healthcare organization’s IT team is its biggest advocate in making sure the right security measures and systems are in place. Clear and effective communication with C-level decision-makers will make all the difference in healthcare organizations’ ability to protect themselves and their patients.
About Dmitry Sotnikov
Dmitry Sotnikov, as Chief Product Officer at Cayosoft, which is a Microsoft Active Directory management, monitoring, and recovery platform. He spearheads the vision, strategy, design, and delivery of the company’s software products, ensuring they resonate with market demands and offer unmatched value to users. With over two decades in enterprise IT software, cloud computing, and security, Dmitry has held pivotal roles at esteemed organizations like Netwrix, 42Crunch, WSO2, Jelastic, and Quest Software. His academic credentials include MA degrees in Computer Science and Economics, complemented by Executive Education from Stanford University Graduate School of Business. Beyond his corporate endeavors, Dmitry serves on the Advisory Board at the University of California, Riverside Extension, and has been recognized with 11 consecutive MVP awards from Microsoft.