Stretching your Cybersecurity Budget: 6 Ways to Do More With Less 

In today’s healthcare landscape, “doing more with less” isn’t just a slogan – it’s a growing request, especially within IT departments.  

On average, hospitals spend 6% of their budgets on security. This figure stands in stark contrast to other industries, where spending on cybersecurity is almost two-thirds higher.  

Amid the continuous wave of cyberattacks, healthcare IT departments are tasked with ensuring the integrity of their critical infrastructure, all while adhering to strict budgetary parameters. To help you maintain a strong cybersecurity posture without overextending your limited financial resources, here are six essential strategies to consider implementing within your healthcare organization.  

1. Audit your cybersecurity tech stack  

A technology stack review isn’t just about looking at individual tools—it’s about seeing the bigger picture. It’s about understanding how each tech component seamlessly weaves into your overarching cybersecurity tapestry.  

The primary objective? To spot duplications, uncover gaps, and pinpoint areas where technology might be underperforming. For example, the opportunity for bloatware or shelfware is high when technology isn’t being used to its fullest extent and/or when technologies overlap. Plus, it’s crucial to highlight aging or outdated technology, replacing them with more current, efficient solutions. 

Could consolidating vendors lead to improved operational efficiency? Merging budgets with a single vendor might offer greater value, maximizing what you get in return. 

Pay particular attention to renewal periods as well. These are often coupled with automatic price increases. In the same way that individuals shop around yearly for the best deals on home or auto insurance, hospitals should reevaluate their cybersecurity tech at least once every three years. 

Our research and experience reveal a compelling insight: Many health organizations could reduce their technology expenses by as much as 30%, all while maintaining, if not enhancing, their protection levels. 

2. Pause to consider 

For hospitals to truly foster a security-centric environment, IT departments need to move beyond reactions to the latest threats, championing a proactive cybersecurity stance. Of course, this isn’t without its challenges, especially when senior leadership is laser-focused on revenue and the latest threats, leading to reactionary tech purchases that may be misaligned with your strategic technology plan. 

However, before the ink dries on yet another cybersecurity software agreement, pause and assess: Could current technology be adapted to counteract new threats?  

With software continually advancing in its capabilities, you might discover that tools already in your arsenal have matured and can now manage the risks at hand more efficiently. 

Take, for instance, Endpoint Detection and Response (EDR) technology. In recent years, many vendors in this arena have broadened their services. They’ve not only refined their core offerings but have integrated features like Security Information and Event Management (SIEM) to enhance monitoring. 

As the tech landscape evolves, particularly with breakthroughs in machine learning and artificial intelligence, hospitals have the opportunity to streamline their vendor list. This optimization can allow IT departments to maintain, if not extend, their cybersecurity coverage without adding cost or complexity. 

3. Scrutinize your cybersecurity contracts 

It’s common for technology contracts to span several years, often with incremental price increases. Additionally, many contracts come with auto-renewal clauses, typically kicking in 60, 90, or 120 days before the contract’s end. This underscores the importance of being fully aware of each contract’s expiration date. 

It’s a smart practice for IT teams to keep a meticulously organized record (e.g., a spreadsheet), detailing every tech tool in their arsenal, along with key dates, including the contract end date and dates to review the contract before renewal (e.g., 30-45 days prior). This advance notice provides ample time to: 

• Review the current technology
• Compare its performance with other tools
• Determine whether it still serves a need
• Either terminate the contract or discuss renewal terms that may be more favorable 

Overlooking the specifics of cybersecurity contracts can inadvertently lead to renewals that are misaligned with the IT department’s preferences and budget. 

4. Evaluate your MSSP and MSP partners 

As you assess your technology landscape, it’s essential to review staffing and service vendors simultaneously. Many hospitals opt to outsource portions of their tech operations to managed service providers (MSPs) and managed security service providers (MSSPs). 

MSPs typically oversee tasks like network and firewall management, as well as basic help desk functions.  

MSSPs concentrate on cybersecurity. Their expertise spans a wide range, from vulnerability testing and monitoring to patching and centralized security operations centers. 

Reflect on the evolution of your needs since initiating contracts. Are you maximizing the potential of your MSSPs? Are there any redundancies in services? In the face of a significant cybersecurity breach, who’s your first point of contact? 

Much like the tech side of things, your outsourced staffing approach might have both gaps and overlaps. Engaging with multiple MSSPs could result in higher costs compared to streamlining services with a select few or even a single provider. And as with tech contracts, don’t leave your vendor review it to the eleventh hour — well before renewal time is when you should be weighing your options and evaluating alternative solutions. 

5. Tap into free resources, subsidies, and grants 

The spotlight on cybersecurity in healthcare is intensifying, with lawmakers at both federal and state levels actively calling for legislation, standards, and funding to help healthcare organizations protect themselves from cyber attacks.  

Notably, rural and Critical Access Hospitals (CAH) stand to gain significant support from federal, regional, and state authorities. But it’s not exclusive to them; urban and larger hospitals can also capitalize on opportunities by aligning with consortiums or forging partnerships with underserved entities. 

Joining a 405(d) Program can also be a great first step. This collaboration between the U.S. Department of Health and Human Services (HHS) and the industry acts as a nexus, providing a wealth of resources, tools, and insights to help address the significant cyber threats facing the healthcare sector.  

Eligible hospitals, health systems, and health consortiums can apply for federal and state grant opportunities, and there are many free resources that hospitals can access to improve their cybersecurity posture. Additionally, forging ties with local CISA and FBI representatives could unveil avenues for further financial support. 

6. Prioritize your people 

There are three pillars to a resilient and robust cybersecurity culture: people, processes, and technology.  

While the instinctive response to cybersecurity threats might be to invest in cutting-edge technology, the reality is that people often represent the most vulnerable point in your cybersecurity defenses. Therefore, a cost-effective way to curtail cyber attacks is to invest (mostly time) in employee cybersecurity awareness and training.  

Continuous training is more than just a one-time onboarding instruction or an annual refresher. It should be consistent and multi-dimensional. For example, a robust training approach would comprise various channels, such as email notifications, bite-sized video tutorials, breakroom posters, computer monitor reminders, and more. Quick, monthly training sessions tend to have a lasting impact compared to infrequent, prolonged ones. 

Additionally, tech teams should implement proactive phishing drills to evaluate staff readiness and pinpoint areas requiring extra attention. Regularly test every employee, at a minimum quarterly, and provide targeted support for those who struggle consistently. This approach not only reinforces awareness but also prepares them for real-world scenarios. 

People are your first and last line of defense. When trained and prepared appropriately, they can be your most valuable asset against cyber attacks. 

Cost-conscious cybersecurity programs 

Hospitals that allocate a larger portion of their IT budgets to cybersecurity are not necessarily safer than hospitals that spend less. Having the priciest tool or the biggest budget doesn’t automatically equate to a successful cybersecurity program.    

Rather, it’s about developing a holistic strategy that seamlessly spans the breadth of the IT spectrum, ensuring no gaps and avoiding redundancy.  

This strategy, known as “defense in depth,” is designed to address the security vulnerabilities inherent not only in software and hardware but also in people. 

By adopting a comprehensive approach, hospital cybersecurity teams can ensure that every dollar is optimized for maximum impact while maintaining a formidable line of defense against ever-evolving cyber threats. 

To gain more insights and practical knowledge that can help safeguard your healthcare organization in the face of evolving cyber challenges, check out our on-demand webinar, “A New Era of Cybersecurity.”