*Disclaimer: This article orginially appeared in Health IT Outcomes.
Three steps to reverse the trend.
It’s well established that healthcare is one of the most targeted industries for cyber-attacks. Over the past five years, attacks on healthcare institutions have risen 125 percent, and personal health information is now seen as 50 times more valuable than financial information on the black market. Reports from the likes of the Institute for Critical Infrastructure Technology further prove what a significant problem cyberattacks are for healthcare organizations:
- Of the 16 top vertical sectors, healthcare suffered the most data breaches over the first six months of 2015 — 21 percent of the 888 reported breaches.
- The average healthcare organization has battled at least one cyberattack per month over the last year.
- Eighty-one percent of 223 healthcare CIOs, CTOs, Chief Security Officers, and Chief Compliance Officers surveyed report their organization was compromised by at least one cyberattack in the last year, an improvement over the prior statistic but still an indication hackers are winning the battle.
Furthermore, recent headlines such as Healthcare firms invite cyberattacks and Report: Healthcare the least prepared sector against cyberattacks make it clear that, not only is this problem not going away, healthcare organizations are allowing it to continue.
This begs the question — what’s holding healthcare organizations back from doing more to protect themselves?
They’re Focusing More On Productivity Than Security
Doctor/nurse efficiency and productivity has been seen as a major driver of healthcare IT changes over the past few years. Productivity has been the call to arms, rather than security. Doctors need to be able to move quickly from system to system and device to device without obstacles. Unfortunately, in many cases, productivity and security have been seen as an either/or decision. That’s not true across the board, certainly not with identity and access management technology, for example, but that thinking has spread enough that many in healthcare view the situation in that light and they’ve chosen productivity as the priority.
HIPAA Leads Them To Focus On Compliance More Than Security
The national compliance standard, intended to protect the privacy of patient data, can be partially blamed for the inaction of healthcare organizations in securing that data. HIPAA instructs medical providers on when they can share patient information and with whom. It also states healthcare organizations must protect patient data and information. What it does not do is establish how that data must be secured. HIPAA contains very few mandates on the protection of patient information. This leads many healthcare facilities to build an infrastructure that is compliant with HIPAA rather than secure. It’s actually created a false sense of security among many healthcare providers. Many that are in compliance with HIPAA actually are not securing patient information very well at all, as the multitude of recent cyber-attacks has revealed.
Executives Are Not Prioritizing Security
Amazingly, even with all the data and evidence demonstrating the clear and present danger of attacks, security doesn’t seem to be a priority for those running healthcare organizations. On average, healthcare providers spend less than 6 percent of their IT budget on security. Their counterparts at financial institutions spend at least double that (12 to15 percent of their IT budget) while the federal government spends 16 percent of its IT budget on security. Another sign security isn’t receiving adequate attention in the boardroom is the fact 60 percent of healthcare boards of directors only get security updates on an as-needed basis, compared to regular quarterly reports on finances and operations.
All of these issues have contributed to the growing problem healthcare institutions face with cybersecurity. The longer they’re seen as vulnerable, easy targets, the more the attacks on them will continue. With the use of networked medical devices continuing to increase, we can only expect hospitals and other healthcare providers to become even more appealing targets for attackers.
Healthcare organizations must begin improving their security programs, protocols and solutions now. To reverse this trend and begin proactively securing their organizations, healthcare providers should take three steps toward a company-wide shift in security.
- Focus On Security First
Security has to become the foremost priority. Healthcare providers must stop sacrificing security for productivity and compliance. They need to seek out the solutions that don’t require them to make trade-offs. These solutions do exist. There are technologies built to protect an organization, which also enable greater business agility and compliance.
- Invest More Resources In Security
Maybe it’s budget. Maybe it’s bodies. The specifics depend on the organization, but healthcare providers need to direct more resources toward security. With all the breaches we’ve seen of late, it’s clear more attention must be given to security. This could mean those in charge of budget allocation need to shift their approach to analysis, or perhaps those requesting budget for security solutions need to change how they position their request. In many cases, when budget dollars are up for grabs, more attention goes to patient-facing technologies that can be used to improve patient care or drive new revenues. The ROI for solutions like these can often appear to be greater and sexier than the ROI for security infrastructure.
To overcome this unintentional ROI bias, those making security requests must supplement their ROI analyses. Instead of relying solely on ROI, add a Risk Assessment Report or a Security Audit to the decision. This Report or Audit would cover the technology that funding is being considered for — IAM software or a firewall or an intrusion detection system, for example. It would define the breaches the technology can prevent and analyze the vulnerabilities the organization currently faces without the technology. An Assessment Report would also determine the probabilities of the breaches identified, as well as the likely losses if it were to take place. Complementing the projected ROI of the solution with this numerical risk data can make a more compelling case for security technology when positioned against patient-facing tools for budget. The numerical risk data can become even more helpful when using real-world examples of breaches, along with the costs the attacked organizations had to spend in the aftermath.
Ultimately, the costs of proactive preventative security solutions are minimal when compared with the expenses of dealing with a cyber-attack, especially when factoring in the eligible HIPAA fines which now reach the millions.
- Centralize Security
Healthcare organizations often consist of a hospital, a clinic, and a lab all working with the same patient information but with different medical and patient record systems using varying degrees of security. This type of infrastructure — with multiple, unconnected security systems — actually increases an organization’s risk. Each patient record has multiple points of entry through the disparate security systems an attacker could target for intrusion. In instances like this, healthcare providers must have one central security team, managed by a CISO to manage and oversee all security projects. Access can still be decentralized by department or group, but the systems must be connected. Limited entry points mean limited points of attack. The CISO and security team should also implement a security awareness program across the whole organization so employees can understand the risks they could encounter and are trained on how to react when they do. A central team is more likely to be successful in rolling out comprehensive training programs and communicating to the employee base than an uncoordinated, loosely affiliated group of multiple security teams.
Healthcare organizations must get proactive in dealing with their security instead of waiting for something to happen to make changes. Cyberattacks have become too damaging and too costly to sit back idly and wait. Systemic change is needed at healthcare organizations, from systems admins all the way up to the CEO and board. The right people, technologies and protocols need to be implemented that can prevent attacks and minimize damage in the event of an attack.
Failing to get serious about preventing attacks like those we’ve seen recently, means we’ll continue to see alarming, damaging headlines. Take action now. Don’t become the next headline.