Healthcare executives are starting to realize that preventing cyberattacks is not just a task for their IT departments and third-party security vendors. Cyberattacks are becoming widespread, and there are significant long-term repercussions for businesses that have been affected.
Perhaps more so than other industries, healthcare has a unique challenge when dealing with these attacks. As a critical component of modern healthcare operations, the data this industry collects is personal, rich and highly valuable.
By now, many healthcare organizations have learned it is only a matter of time before they are impacted—and the volume of cyber-related breaches is sobering. Just in the past two years, 89% of healthcare organizations have sustained a data breach, according to the “Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data” by the Ponemon Institute. The astonishing numbers don’t end there. Of those organizations, 45% reported five or more breaches.
In addition, the penalties for healthcare breaches can come with a sizeable financial impact that may linger for many years. Recently, The U.S. Department of Health and Human Services (HHS) handed a hospital a fine for over $3 million. This action stemmed from a combination of breaches that occurred over a four-year period. Per published announcements, the initial breach was due to the theft of an unencrypted, non-password protected smartphone. Subsequently, the hospital sustained another breach, again from a stolen, unencrypted device containing electronic protected health information which spurred HHS into action this year, another four years later.
To bring greater perspective to this widespread business challenge, Deloitte explored the impact factors that can affect a healthcare organization in the report, “Beneath the Surface of a Cyberattack: A Deeper Look at Business Impacts.” In an example scenario involving a fictitious healthcare insurer, the report projects a breach could very likely cost $1.6 billion over a five-year period (assuming $60 billion in annual revenue and 23.5 million members).
So what should healthcare executives be thinking about and addressing in order to prepare for and respond to cyber-related incidents? Here are some tips:
1. Take a balanced approach to cybersecurity
Cybersecurity is an organization-wide matter and requires involvement from across the business. Instilling a culture of cybersecurity awareness, establishing and communicating security processes to employees, and engaging in collaborative conversations across the levels of the organization are specific actions that business leaders should take now to reduce vulnerability to cyber risk.
Healthcare executives can get engaged by leading efforts to safeguard the data and assets that matter most, identify when an attack or breach has occurred and plan for response and recovery efforts that can extend for years after an incident.