Healthcare organizations are prime targets for cyberattacks. Take the ransomware attack at Hollywood Presbyterian earlier this year, for instance, where officials paid the equivalent of $17,000 to the extortionists via Bitcoin. In March, another hospital in Kentucky underwent a similar attack. It’s estimated that data breaches cost the healthcare industry $5.6 billion in 2015, and with events likes these ransomware attacks increasing, that number is only expected to rise. So why are healthcare institutions increasingly being targeted for ransomware attacks? The answer may lie in these organizations’ data deluge and the lack of security protocols.
In many healthcare organizations, electronic health records (EHRs) and digital clinical systems have been installed to meet mandates. Often, these tools get installed without a strategic plan in place to protect the security of patient data and IT infrastructure. Additionally, the users of IT systems in healthcare organizations vary widely in their knowledge of technology. In fact, cyber hygiene training is not routine in these organizations; users are trained on the equipment and its utility but not the overall security processes.
EHRs and digitized healthcare systems hold extremely valuable, personal, and often confidential, patient data; yet healthcare organizations may not always develop the procedures necessary to adequately protect that information. In 2015, 253 healthcare breaches were reported, which resulted in the theft of over 112 million patient records. It’s time for health organizations to better understand their data, networks and systems, and threat actors in order to lower these numbers in 2016 and beyond. Some of the key issues institutions must address in order to strengthen healthcare data security, include understanding the value of health data, investing in cyber technologies and talent, and developing executive buy-in.
The Value of Healthcare Data
Stolen patient information draws up to 50 times more than a Social Security or credit card number. Data retrieved from a patient’s EHR may be used for medical fraud or identity theft, and attacks on healthcare information have increased by 125% in the past five years alone. It’s crucial that hospitals and hospital employees treat patient data with caution and hold it to the level of security it deserves. Leaving devices unlocked and unprotected is just one way healthcare organizations may put patient data at risk.
The Importance of Investment
The lack of concern about data security often results in lack of investment by healthcare organizations, both financially and in terms of human capital. The HIMSS Analytics Healthcare IT Security and Risk Management Study found that more than half of survey respondents said their organizations allocate only between 0-3% of IT budgets to cybersecurity; 28% said budgets were between 3%-6%.
Staffing is another limitation compounding the problem for healthcare data security, according to the HIMSS report. Among respondents, 72% have five or fewer IT employees allocated to data security. The lack of talent and tools is one of the biggest problems in healthcare security today. Due to these shortfalls, most organizations are only able to conduct IT security risk assessments once a year, and many security leaders only have occasional interactions with C-level leadership.
The Necessity of Structure
Organizational structure feeds the underfunding of cyber security in healthcare as well. In a majority of healthcare organizations, CISOs report to CIOs. As a result, CISOs are commonly removed from the chain of executive communication; security is then seen as an IT issue rather than a patient issue. Communication with executives is critical. The concept of compliance is frequently muddied with security, and it’s assumed that if an organization is HIPAA compliant, that must mean it’s also secure. This is simply not the case, however, and healthcare leaders must be educated to ensure that security – not just compliance efforts – are in effect.
A Strategic Healthcare Security Vision
Healthcare organizations have a long road ahead of them to become both compliant and secure. CISOs and CIOs must work closely together to create security programs that will protect healthcare organizations and patients alike. User IDs and firewall logs must constantly be monitored, and security assessments need to take place more often. Discovering and hiring more cyber talent and partnering with industry leaders in data security are the necessary first steps to overcoming current shortfalls in security measures.
Healthcare institutions will only continue to gather more and more data, making themselves increasingly vulnerable to ransomware and other types of cyberattacks. As the healthcare industry becomes more digitized and new threats to security continue to grow, organizations must be proactive and strategic about protecting valuable patient data by investing – financially and otherwise — in solid security systems.
For more information on the current state of cybersecurity in healthcare organizations and tips on moving the needle from compliance to true security, check out this report from Symantec and HIMSS Analytics.