12 Ways Nonprofit Healthcare Organizations Can Improve Cybersecurity and IT Despite Limited Budgets

• Limited IT Budgets: When you have less overall money to spend, your IT budget will shrink. This is painful, especially when you must delay necessary upgrades, make due with aging technology, and grit your teeth as you hope that a cyber incident doesn’t occur on your watch. You might try a variety of makeshift solutions to temporarily solve your problems, only focus on the most urgent fires, and accept unhealthy risk. Ultimately, limited IT budgets affect operational efficiency, leading to system downtime impacting patient care and inefficient technology processes adding further strain on your staff.
• Limited IT Resources: You likely lack enough IT staff to manage your systems properly and proactively. Many nonprofit healthcare organizations have small IT teams and sometimes only a single IT staff member. You might be in that boat as your staff feels overwhelmed trying to fight IT fires all day, giving them little to no time for strategic planning. These needs are 24/7, requiring someone to ensure the continuous operation of your critical healthcare systems.
• Outdated Technology: If you lack budget to upgrade and replace aging technology, then you will rely on legacy systems prone to downtime, disruption, and ongoing performance issues. Legacy systems are usually unsupported by the vendor, leaving them vulnerable to cyberattacks and bugs from lack of patching and updates. The frustrating thing is that you probably know they need replacing, but it’s been put off so long that the upgrades now seem cost-prohibitive.

• Increasing Cyber Threats: As one of the most targeted industries for cyberattacks, healthcare organizations are at a very high risk of experiencing data breaches and ransomware. Yet, many nonprofit healthcare organizations simply lack the resources to implement cybersecurity measures that would lessen the risk of a cyberattack and ensure that patient data is safe and recoverable.
• Strict Compliance Requirements: A scary aspect of overseeing your nonprofit healthcare organization’s IT is contemplating the consequences of noncompliance with regulatory requirements. Regulations such as HIPAA are strict and enforced, requiring stringent data protection measures. Failure to comply with HIPAA can result in fines, loss of funding, and reputational damage.
• Inability to Scale: As demand for medical services grows, nonprofit healthcare organizations face challenges in scaling their IT infrastructure to accommodate more patients and data without significant investment. Yet, a lack of IT and cybersecurity resources means you cannot adapt to these growing patient and data needs. Without the ability to effectively scale technology, you won’t increase operational efficiency.

Given Existing Challenges, Giving Up Is Worse

We’ve painted a stark, bleak picture that likely represents some of your struggles as a nonprofit healthcare organization. However, despair and status quo will quite possibly take you down a worse path, even if the worst hasn’t happened yet. If you continue down your current path, you risk the following worst-case scenarios waiting to happen:

1. Financial and reputational damage

Without adequate cybersecurity measures, cybercriminals can:

• Steal sensitive and confidential patient data such as medical records.
• Encrypt critical systems with ransomware and demand a ransom.
• Conduct repeat attacks when you do not address vulnerabilities.
• Destroy data or make it inaccessible, leading to permanent data loss.

We cannot overstate the amount of financial and reputational damage such incidents will cost you. Cybercriminals selling your patient data on the dark web. Lack of access to your data impeding your ability to provide critical care for patients. Permanent data loss leading to HIPAA violations and lawsuits.

Such cybersecurity incidents or chronic operational issues can result in:

• High recovery costs: Responding to data breaches, cyberattacks, ransomware, or IT failures can involve significant costs such as hiring external consultants, upgrading systems unexpectedly, and restoring data.
• Loss of funding: Donors may get skittish in the wake of publicized incidents, hesitating to contribute to an organization that cannot demonstrate effective data security and operational stability. It may also become harder to win grants or receive money from government sources.
• Patient distrust and lost revenue: Breaches of patient data or disruptions to care can damage your reputation enough to drive patients away, leading to lost revenue. Under the HIPAA Breach Notification Rule, if a breach occurs beyond a certain number of patient records, you are required to make public statements to the media—which can be far more damaging than having to pay fines.

2. Fines for HIPAA noncompliance.

Failure to implement proactive cybersecurity measures can lead to noncompliance with HIPAA, resulting in legal penalties, fines, and increased scrutiny. As a secondary repercussion, patients and other stakeholders may file lawsuits if their data is compromised, leading to costly legal battles.

3. Severe operational disruptions.

Downtime and service interruptions are unacceptable in a healthcare environment. Outdated IT systems or underinvestment in cybersecurity may suddenly lead to a successful cyberattack that disrupts critical services such as patient care, scheduling, or billing. Staff must work around inefficiencies or revert to manual processes, reducing your organization’s overall effectiveness. In extreme cases, the financial and operational strain caused by IT failures or security breaches can lead an organization to shut down entirely.

Addressing IT Issues Despite Limited Budgets, Resource Gaps, and Outdated Technology

When faced with limited budgets and resources, you can do a lot to accommodate the reality you face and make some significant improvements—avoiding the serious risks we’ve listed. Addressing these challenges requires a combination of strategic planning, investment in technology, and partnerships to bolster IT and cybersecurity capabilities.

We encourage you to prioritize a few key efforts that can help your nonprofit healthcare organization better safeguard sensitive data, ensure compliance, and continue delivering essential services to patients.

2. Optimize existing resources. 

There is a lot you can do with what you already have. For example:

• Implement recommendations from your risk assessment: Your assessment will likely identify low-hanging fruit that doesn’t cost much to implement—such as needing to apply multi-factor authentication (MFA) or consolidating servers.
• Decommission unused tools: Eliminate any redundant or unused hardware and software to save costs such as:
  • Unused servers and workstations
  • Underutilized software and applications
  • Redundant tools
• Extend the lifespan of your devices: To make sure you can keep your devices as long as possible, it helps to proactively apply firmware and software updates, monitor your hard drive health, upgrade hardware components, and apply security patches.

3. Adopt cloud solutions where possible.

One area that can often lead to major savings is getting rid of your on-premises servers and moving applications into the cloud. On-premises servers are expensive to maintain, support, and replace every few years. They are also difficult to keep secure and very costly to scale. While cloud solutions aren’t necessarily inexpensive, they can often cut costs compared to physical servers, hardware maintenance, and upgrades. Subscription prices mean you only pay for what you need, and many tasks such as maintenance, patching, and some cybersecurity activities get taken off your plate. Go through your current server-based software and applications with the intent of looking for cloud opportunities.

5. Replace outdated technology and applications in phases.

This might seem like a contradictory recommendation if we’re talking about working within your budget. However, keeping hardware or software beyond end of life will cost you more in the long run. Expenses creep up with:

• Unplanned hardware failures
• Downtime and operational disruptions
• Increased chance of a successful cyberattack
• Increased chance of permanent data loss
• HIPAA fines
• Inability to use modern applications

Modernizing IT infrastructure helps you reduce your technology debt and serious risks associated with running legacy technologies. We recommend that you replace outdated technology in phases based on risk and criticality rather than all at once.

6. Implement or upgrade baseline cybersecurity measures.

Investments in baseline cybersecurity measures are not only cost-effective but also prevent devastating, unplanned post-cyberattack costs in the future. You don’t want a significant cybersecurity incident to happen that costs hundreds of thousands of dollars because you didn’t want to invest in relatively inexpensive tools.

At a minimum, you need:

• 24/7 systems monitoring: Someone needs to monitor security alerts and act upon them if needed.
• Multi-factor authentication (MFA): MFA is simple to implement, often doesn’t cost anything, and prevents 99.9% of account compromise attacks.
• Endpoint detection and response (EDR): Prevents and detects the deployment of viruses, malware, and ransomware while also flagging anomalous behavior when cyberattackers enter your systems.
• Patch management: Known software vulnerabilities are routinely exploited by hackers, so proactive patch management is essential.
• Email filtering and spam protection: Email is the #1 attack vector used by cybercriminals, so you need to make sure that advanced email security is in place.

7. Invest in security awareness training.

95% of cyberattacks begin in an email. An employee clicking on the wrong link or attachment can allow ransomware into your organization or user credentials to get into the hands of cyberattackers.

Regular training on cybersecurity best practices reduces risks from phishing and human error. Effective cybersecurity awareness training exists that fits into a busy employee’s schedule. At leisure, an employee can watch video training and study training materials. You can also conduct phishing simulations to identify employees who may be more vulnerable to phishing.

9. Revise your incident response plan.

If you haven’t looked at your incident response plan in a while (or don’t have a clear plan documented), then now is a good time to review it. A simple, actionable plan will go a long way toward helping you respond to a breach, cyberattack, or other incident. Plus, the process of thinking through your plan is a helpful exercise that unearths gaps and assumptions about your ability to respond—including areas such as communication protocols and escalation paths.

10. Get HIPAA-compliant ASAP.

It’s important to address any areas where you are out of compliance so that you avoid fines and other repercussions. Some common areas of non-compliance include:

• Conducting a comprehensive risk analysis: HIPAA requires organizations to assess risks and document how they plan to mitigate them.
• Employee training: HIPAA Privacy and Security Rule training is mandatory.
• Handling electronic Protected Health Information (ePHI): You need to store, transmit, and access ePHI securely and with authorization.
• Data backup and disaster recovery: ePHI needs to be backed up securely offsite.
• Security measures: Baseline cybersecurity best practices must be followed to prevent cyberattacks and data breaches.
• Modern hardware and software: Using end-of-life software or legacy hardware violates HIPAA requirements.

Stay on top of regulatory requirements to ensure your systems and processes are compliant with HIPAA.

12. Reassess and iterate.

So that you evolve at the right pace for you, respecting your budget restrictions, you must continuously evaluate your organization's IT and cybersecurity needs in order to reprioritize as needed. Make gradual improvements over time to reduce your resource strain while building a more secure and reliable IT environment.