Article #2 of 4: Advocate for Change: Why Mental and Public Health Agencies Must Demand Cybersecurity Investment

Cybersecurity is often treated as an afterthought in mental, public, and community health organizations, but this needs to change. These agencies must become their own strongest advocates for securing the necessary resources, training, and support to build a resilient digital infrastructure. By prioritizing cybersecurity, they can safeguard their operations and continue providing essential services to their communities.

Why Cybersecurity Gets Overlooked: Behavioral, community and public health agencies often face tight budgets, staffing shortages, and the pressing demands of direct service delivery. Cybersecurity is viewed as a back-office concern, something to be dealt with later, when budgets allow, or not considered part of the threats, such as mobile security. In 2022, 9% of all cyberattacks globally were delivered through mobile devices, marking a 50% increase year-over-year. However, deprioritizing cybersecurity leaves these agencies vulnerable to attacks that can compromise patient data, disrupt services, and erode public trust. The focus on immediate care delivery, while critical, should not come at the cost of long-term operational resilience.

The Cost of Inaction: Leaders in these organizations might believe that cybersecurity investments are too costly or unnecessary—until a breach occurs. The reality is that a single data breach can have devastating consequences, far outweighing the costs of preventive measures. For example, the average cost of a data breach in healthcare reached $10.93 million in 2023, according to IBM*. In contrast, investing in cybersecurity can prevent these losses. A healthcare system that invests in multi-layered defense mechanisms creates an opportunity to save hundreds of thousands into the millions annually by avoiding breaches and reducing downtime​.

Additionally, regulatory fines for breaches involving sensitive health data under laws like HIPAA can range from $100 to $50,000 per violation, depending on the severity and negligence involved**. These fines, along with lawsuits, public relations costs, and operational disruptions, can cripple an already resource-strained agency.

What Needs to Change: Agencies must start treating cybersecurity as an essential part of their service delivery strategy. Here’s how they can frame the conversation with stakeholders:

1. Position Cybersecurity as Risk Management: Shift the narrative from cybersecurity being an “IT expense” to it being a vital component of risk management. Discuss how cyberattacks can interrupt service delivery, damage public trust, and expose the agency to legal liabilities.

2. Highlight the Financial Benefits: Demonstrate the long-term cost savings of investing in preventive cybersecurity measures compared to the catastrophic costs of a breach. Use real-world data or case studies from similar organizations to show the financial impact.

3. Engage Stakeholders with Clear Metrics: Present a compelling business case to funders and leadership by using quantifiable data, such as reductions in downtime, potential savings from avoided breaches, and compliance benefits. For instance, an organization that implemented a comprehensive security strategy reduced its incident response time by 50%, minimizing operational disruptions​.

4. Show Alignment with Mission Goals: Highlight how secure systems protect not only the organization but also the vulnerable populations it serves. By safeguarding their digital infrastructure, agencies ensure continuous, reliable service delivery, which is central to their mission.

Call to Action: It’s not enough to wait for policymakers to mandate cybersecurity improvements. Agencies must advocate for themselves. Start by initiating conversations with leadership and funders about the financial and reputational risks of neglecting cybersecurity. Create a roadmap that includes the integration of cybersecurity including mobile security into every aspect of the agency's operations—from patient data management to staff training and response protocols.

Cybersecurity investment is not optional—it is essential to safeguarding the critical services these agencies provide. By taking action today, agencies can protect their communities, their reputation, and their ability to serve those who need help the most.

*IBM 2024
**NIH 2024