The U.S. healthcare industry is struggling to keep pace with an ever-widening number of global threats being perpetrated by increasingly sophisticated cyber criminals.
Criminal attacks in healthcare are up 125% since 2010 and are now the leading cause of data breach, according to a recent study by the Ponemon Institute. And while recent attacks on Anthem, Community Health Systems, Premera and CareFirst, compromising millions of Americans’ personal data, helped raise awareness, many healthcare payers and providers are still mired in outmoded or unfocused cybersecurity strategies and thus remain vulnerable.
Experts say that unless healthcare organizations utilize strong approaches to manage risk and protect data, the potential costs could be staggering.
In April 2014, prior to some large publicized attacks, the FBI issued a private industry notification, warning healthcare providers that their networks were too lax compared to other industries. Some industry experts worry that the situation is much the same more than a year later. “They’re just being sloppy,” chief executive officer Mac McMillan of CynergisTek, Inc., says of the healthcare industry’s current efforts to manage data and risks to its environment. McMillan’s healthcare information technology (IT) consulting firm focuses on improving privacy, security and regulatory compliance for payers, providers and business associates.
“Once you get beyond the shock factor [on recent healthcare data breaches], you wonder ... 'Why did people have all this information?’” says McMillan, who also chairs the Healthcare Information and Management Systems Society (HIMSS) Privacy & Security Policy Task Force. “With CareFirst, why do you still have data on former customers that are accessible to anyone to steal? Even if you have a business purpose to retain data, why isn’t it in some long-term storage that isn’t accessible online? ... We need to be more responsible with how we handle data.”
He cites two paradigms in play: For payers, having accessible data is a business driver. For providers, patient care and safety come first and everything else, including cybersecurity, is second. Yet in both scenarios, a rapid response when a breach is suspected is of the essence, says McMillan, former director of security for the U.S. Department of Defense. CareFirst executives had “holes in their security approach,” he asserts, since CareFirst saw anomalous behavior months before the breach but didn’t follow up until after other payers’ breaches.
“There’s nothing that healthcare is dealing with that other folks haven’t dealt with already,” McMillan says. “The same person that shows up at your hospital to work is the same person that worked yesterday in retail ... The only thing special about healthcare is the operational aspect of care to the patient—so you err on the side of caring for the patient first, not protecting the data.”
Nationwide, data breaches could be costing the healthcare industry $6 billion, says the Poneman Institute report issued in May. That total arises from two factors: The average cost of a data breach for healthcare organizations is estimated to exceed $2.1 million, and 91% of organizations have had a breach, with four in 10 having had more than five breaches over the past two years.
“There are only two types of [healthcare] organizations right now: Those that know they’ve been breached and those that don’t know they’ve been breached,” says Rick Kam, president and cofounder of ID Experts, the Ponemon report’s sponsor. “ The problem is, it’s already in. And if they’re spending millions of dollars assuming they haven’t been infected, they’re wasting their time and effort.”
Broadly speaking, cyberattacks are frequent and swift. Five malware events occurred every second in healthcare in 2014, according to Verizon’s 2015 data breach investigations report.
Email phishing has been increasing since 2011, Verizon says, and in 60% of cases, cyberattackers compromised an organization within minutes—with organizations’ response time lagging well behind. Healthcare was among the most affected industries for “insider misuse” and errors made by internal staff—notably system administrators—such as sending sensitive information to incorrect recipients.
It also isn’t a matter of cyberattackers only trying to topple giants. Experts say no healthcare organization, regardless of its size, is immune from cyber risks.