Senior Leaders Must Give Extra [Cyber]Care to Healthcare
Senior Leaders Must Give Extra [Cyber]Care to Healthcare
Earlier this month, over 45,000 healthcare practitioners, technologists, visionaries, and information security professionals gathered in Orlando, FL for the annual Healthcare Information and Management Systems Society (HIMSS) Conference. HIMSS is the world’s leading health information and technology conference, and it covers a wide range of issues important to the advancement and protection of healthcare. From new ways to manage data, to the latest advancements in medical devices, this conference not only delivers in size but also knowledge. But as new technologies and ways to manage data emerge, the threat of data security and patient privacy have never been greater.
Healthcare is the most costly industry when a breach occurs. According to Ponemon Institute’s 2018 Study, the healthcare industry has a staggering average cost of $11M per data breach globally, or $14M per data breach in the U.S. Compared to the average cost of a data breach, Healthcare is significantly more costly than the global average of $3.9M, as well as the U.S. average cost of $7.9M per data breach.
Key Statistics About Health Industry Breaches
- $408 is the average cost per record lost for the health industry, compared to a global average of $148.
- The health industry has the highest abnormal customer churn rate, with a 6.7% average abnormal churn. Compare this with the global average churn rate of 3.4%.
- $11M is the average global cost of health industry data breaches, $14M for the U.S. health industry.
- On the global average, it takes 196 days to identify a breach, and another 69 days to contain one.
Why Attack A Healthcare Organization?
There are many reasons why threat actors would choose to target a healthcare organization over an organization in any other industry. For one, electronic health records (EHR) are personal and often contain sensitive information, such as medical history, prescriptions, and current or past insurance information. The value of Protected Health Information (PHI) is high, selling for ten times the cost of a credit card number on the Dark Web. This increased value can be used for a broader set of fraudulent activities, including pharmaceutical fraud. This creates a great desire for hackers to target a healthcare organizations. They can sell the data on the black market, threaten to make the data public, or use it for extortion (ransomware)—all for financial gain. And let’s not forget that ransomware continues to plague healthcare providers in recent years.
Next, espionage plays a large role in why healthcare organizations become victim to attacks. Healthcare organizations that conduct medical studies have valuable data related to clinical trials or other advanced medical and life sciences research. Nation States, or sometimes even competitors, may also attempt to leapfrog past the R&D stage of medical device manufacturers and undercut the first-to-market advantage or market value by stealing this sensitive information and Intellectual Property (IP).
Furthermore, testing capabilities have an effect on why healthcare organizations get breached. The digitization of medical records creates great vulnerability. An increase in the interconnectedness of networks, systems, and medical devices expands the potential cyber attack surface and gives hackers more options to cause harm.
Healthcare organizations are facing key challenges when it comes to protecting their network.
What Challenges Does The Future Hold?
Human error and privilege misuse often becomes the weakest link within a healthcare organization. And unfortunately, these two issues will continue to be a thorn in the industry’s side. Employees continue to fall victim to adversarial cyber tactics such as social engineering, and far too often privilege misuse still tops the list for how sensitive data is accessed and compromised. From losing laptops, to mishandling documents and posting photos of patients on social media, HIPAA violations will continue to haunt health providers for years to come.
Artificial Intelligence (AI) holds many promises for the health industry. With the data processing power and technological advances of AI, quickly and more-accurately diagnosing patients is a desired future state for the health industry. That said, many questions still need to be answered regarding how AI can be used to its full potential, particularly when it comes to patient privacy and data protection challenges.
The cybersecurity of medical devices has received heightened attention over the last couple years and is one of the top priorities moving forward. In response to the growing recognition of these cyber threats, the U.S. Food and Drug Administration (FDA) issued a series of non-binding recommendations to medical device manufacturers. The FDA’s Content of Premarket Submissions for Management of Cybersecurity in Medical Devices provided updated recommendations to the industry on cybersecurity considerations for device design, labeling, and documentation. The guidance covers a number of different aspects of medical device cybersecurity — including general principles and risk assessment, designing a trustworthy device using the NIST Cybersecurity Framework, labeling recommendations for devices with cybersecurity risks, and documenting cybersecurity procedures.
Ransomware attacks will continue to target healthcare providers. If organizations do not regularly backup their data, hackers may attempt to extort their victims by accessing and encrypting sensitive data using ransomware. Although some ransomware incidents may not breach the confidentiality of ransomed data, all ransomware incidents must be reported as a breach as per the guidance by the U.S. Department of Health and Human Services. According to the Verizon Data Breach Incident Report, ransomware accounts for 72% of malware incidents within the healthcare industry.
Taking Action: Top 3 Must-Dos
First and foremost, establish cybersecurity policies. This can help healthcare organizations not only save money, but save personal information from an attack. Policies should include how data will be backed up and which security programs are implemented. Backup systems should be in place so that when an attack does occur, the backups can be used to restore the data and not fall under the control of the hacker.
Second, every health organization should establish a standardized and repeatable process for conducting cyber risk assessments. These risk assessments should be quantifiable, translate potential loss scenarios into dollars and cents, and be applied not only internally, but to other third parties such as vendors, suppliers, and other business partnerships. Once an organization’s greatest risks are identified and calculated, only then can they begin to prioritize how to manage or reduce cyber risk.
Third, executives should ensure their incident response plan and business continuity plan are regularly updated and tested. These plans are necessary when responding to a cyber incident or breach and can make or break a company when the unfortunate occurs.
Lastly, it’s important to educate employees and senior leaders. Healthcare organizations often fall short in educating their employees about the dangers of cyber attacks. Having a training program in place that educates employees on cybersecurity issues and senior leaders on managing cyber risk is paramount.
Is Your Organization Prepared?
Do you, as a healthcare senior leader, understand cyber risk as an enterprise risk? Cybersecurity should always be an essential element in your larger enterprise risk framework. As such, it is important that the leaders of your organization have a firm understanding of what cyber risk is and means for your organization. As you move further into the new year, CyberVista is here to offer comprehensive cyber risk training for your c-suite, board, and other executives. Whether you’d prefer an in-person training or training on the go, we can accommodate your organization’s needs.