Healthcare organizations must modernize their cybersecurity systems or risk falling behind the times compared to other industries that have made significant investments in safeguarding their IT assets. Reports have predicted that the healthcare sector will face more cyberattacks than any other industry, as hackers exploit system weaknesses. Find out need-to-know information regarding healthcare cybersecurity and get the wake-up call you need to protect your healthcare organization.
The Rising Cost of Healthcare Industry Data Breaches
According to the Identity Theft Resource Center, over one-quarter of all data breaches target the healthcare industry, resulting in estimated losses totaling $5.6 billion. Accenture, a consulting firm, believes that healthcare industry breaches will cost over $300 billion in cumulative lifetime patient revenue over the next five years.
In addition to the financial cost, businesses face significant reputational damage after a cyberattack. In 2015, 113 million health records were exposed in the U.S. An additional 16 million American health records were exposed in 2016, per the U.S. Department of Health and Human Services.
Why Cyberattackers Target the Healthcare Industry
The numbers show the devastating impact of cyberattacks in the healthcare industry. It’s worth pointing out that the recent rise in healthcare data breaches comes as other industries have increased their investment in cybersecurity systems that detect, block, and mitigate attacks. Hackers searching out new targets turned to industries they previously ignored, such as healthcare. It’s much easier to apply the same strategies to a new industry than invest time in developing new hacks for the latest cyber security, after all.
Once cyber thieves get healthcare data, what do they do with it? The black market has many uses for medical records. Cyber criminals can harvest the data to conduct “medical identity theft.” From the harvested data, they can create false or synthetic identities.
They can glean enough raw data from an individual’s medical record to perform traditional identity theft. From a medical record, they may be able to open a bank account or credit card, take out a business loan, and more.
Medical identity theft is more complex than credit card theft. While a consumer can detect and dispute a credit card charge fairly quickly, it is more difficult to resolve medical identity theft.
Cyber criminals have begun using ransomware to extract money from healthcare organizations. Criminals steal the data then promise to return access to the data or systems if a ransom is paid.
Since healthcare organizations have been slow to adopt cybersecurity best practices, medical staff may be unaware of the risks to patient data. The average cybersecurity budget for a healthcare organization is a fraction of the budget for a financial firm.
Recommendations for Cybersecurity
Both provincial and federal governments set laws regarding privacy of data. These laws indicate who can access medical information, how data must be stored and managed, and what protocol to follow if there is a breach. If you’re not sure what the privacy laws are, or how they apply to healthcare data security, this is the place to start. If it’s been a while since you’ve reviewed the privacy laws, look for recent, relevant findings and rulings that could apply to your business.
Since many healthcare workers do not know the risks of cyberattack, it’s important to educate staff. Not only should IT workers understand cybersecurity threats and protection, but medical workers should know how their roles pertain to data management. In particular, staff should understand how to properly handle confidential information including patient data. Staff should know how to recognize common types of cyberattacks, such as phishing emails. By training your employees on cybersecurity, you can cut the risk of an attack from 70 percent to 45 percent.
Industry Best Practices
Best practices that combine the particular needs of the healthcare sector with practical cybersecurity solutions do exist. They include strong encryption of data, strong authentication requirements for data, strict access control of data, and regular monitoring of searches and downloads. If a large batch of sensitive data is downloaded or transferred, it should trigger an alarm. Along with implementing best practices, healthcare businesses should research newer technologies that may offer additional levels of protection. These include biometric security, tokenization, and blockchains to record transactions.
Disaster recovery planning is essential for the healthcare businesses. Comprehensive planning includes defining what needs to be protected, implementing a DR plan, and testing the plan. The growth of DRaaS or disaster recovery as a service allows a healthcare businesses to invest in the disaster recovery they need while keeping costs affordable.
Cyber Insurance A cyber insurance policy can help protect your business from a data breach and many other IT disasters. A comprehensive insurance policy will cover claims made against your business by victims of the breach as well as direct losses you experience.
IT Service Providers
If all of this sounds like a lot to handle on your own, consider turning to the cloud for help. Healthcare organizations are increasingly using the cloud to store data and share data while controlling cost. Cloud service providers offer scalable solutions for healthcare, so your business can access the protections you need now and change your plan as you grow. Many service providers understand the regulations, risks, and needs of the healthcare industry and act as supportive partners.
Given the gap between healthcare cybersecurity and the security of other industries, it is critical that healthcare organizations make it a priority to protect their data. As long as the healthcare sectors uses vulnerable hardware and software for transactions and does not move toward stronger cybersecurity practices, organizations will continue to face staggering risk.
Protecting health data will take a coordinated effort among healthcare companies, care providers, insurance companies, and IT partners who can provide solutions and experience. By adopting the lessons learned by other industries — namely financial and legal — healthcare companies can reduce their risk and protect their patient data before “the worst” happens.