Anyone looking for a case study illustrating the speed of the evolving cyber threat need look no further than healthcare. The COVID-19 pandemic and rampant ransomware attacks shone a light on the cybersecurity threats facing the healthcare sector, as cybercriminals capitalized on the financial gain from stealing financial data and healthcare research. Despite being one of the first and most heavily regulated sectors for cybersecurity, the healthcare sector has remained one of the weakest sectors for cybersecurity. This chapter emphasizes that cybersecurity is a critical component of modern healthcare, and cybersecurity can pose additional risk to patients. This chapter recommends that cybersecurity investments be reclassified as an element of patient care within the medical loss ratio. It also calls for reduced regulation and increased incentives. For example, Meaningful Use requirements should be reduced or foregone entirely to allow for investment and use of health information exchanges to increase secure interoperability in the healthcare field. An incentive-focused regulatory approach would encourage more companies in the healthcare industry to make the investments necessary to protect information assets. With the right incentives, we drive good information security behavior today and continual good behavior going forward.
Combining Technology, Public Policy and Economics to Create a Sustainable System of Cybersecurity