Four ways health execs can help their organizations mitigate cyberattacks

Healthcare executives are starting to realize that preventing cyberattacks is not just a task for their IT departments and third-party security vendors. Cyberattacks are becoming widespread, and there are significant long-term repercussions for businesses that have been affected.

Perhaps more so than other industries, healthcare has a unique challenge when dealing with these attacks. As a critical component of modern healthcare operations, the data this industry collects is personal, rich and highly valuable.

By now, many healthcare organizations have learned it is only a matter of time before they are impacted-and the volume of cyber-related breaches is sobering. Just in the past two years, 89% of healthcare organizations have sustained a data breach, according to the “Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data” by the Ponemon Institute. The astonishing numbers don’t end there. Of those organizations, 45% reported five or more breaches.

In addition, the penalties for healthcare breaches can come with a sizeable financial impact that may linger for many years. Recently, The U.S. Department of Health and Human Services (HHS) handed a hospital a fine for over $3 million. This action stemmed from a combination of breaches that occurred over a four-year period.  Per published announcements, the initial breach was due to the theft of an unencrypted, non-password protected smartphone.  Subsequently, the hospital sustained another breach, again from a stolen, unencrypted device containing electronic protected health information which spurred HHS into action this year, another four years later.

To bring greater perspective to this widespread business challenge, Deloitte explored the impact factors that can affect a healthcare organization in the report, “Beneath the Surface of a Cyberattack: A Deeper Look at Business Impacts.” In an example scenario involving a fictitious healthcare insurer, the report projects a breach could very likely cost $1.6 billion over a five-year period (assuming $60 billion in annual revenue and 23.5 million members).

So what should healthcare executives be thinking about and addressing in order to prepare for and respond to cyber-related incidents? Here are some tips:

1. Take a balanced approach to cybersecurity

Cybersecurity is an organization-wide matter and requires involvement from across the business. Instilling a culture of cybersecurity awareness, establishing and communicating security processes to employees, and engaging in collaborative conversations across the levels of the organization are specific actions that business leaders should take now to reduce vulnerability to cyber risk.

Healthcare executives can get engaged by leading efforts to safeguard the data and assets that matter most, identify when an attack or breach has occurred and plan for response and recovery efforts that can extend for years after an incident.

Next: Tip #2

2. Safeguard what matters

The first step toward developing a balanced cybersecurity plan is understanding why the healthcare industry has become a target for cyberattacks. Healthcare’s unique challenge is due to two primary drivers:

• There is a wealth of personal and valuable information that healthcare entities use for legitimate operational purposes across the enterprise (for example, care delivery, revenue cycle, insurance, and research). For criminal hackers seeking to use that information to perform identity theft, it’s a one-stop shop for the data they need.
• The industry as a whole has a relatively low level of maturity when it comes to securing this valuable information, although this has improved since the Health Information Technology for Economic and Clinical Health (HITECH) Act emerged in 2009. Compared to some other industries, healthcare organizations haven’t historically had the same resources or incentives to build sophisticated cybersecurity programs.

What’s more, the HITECH Act’s stimulus to adopt electronic health records (EHRs) has rapidly pushed the industry toward the increased use of technology. Healthcare’s primary focus on the mission of saving lives, combined with increased incentives to implement EHRs, has created an environment where healthcare is a prime target for cyber-related incidents.

Aside from individual cyber criminals seeking to profit from identity theft, there are also larger actors-like nation-states and those using cyberattack for the purposes of espionage-that are interested in acquiring intellectual property. As an example, some foreign actors want intelligence on how healthcare facilities and institutions function in an effort to enhance their own healthcare delivery systems.

3. Address long-term impacts ahead of time

Understanding the impact of an incident-even identifying that one has happened in the first place-is a challenge for many organizations. The attacks range in size and in scope, from large-scale social engineering attacks to more sophisticated and targeted spear-phishing emails that are difficult to spot.

One of the more problematic attacks to deal with has been ransomware. Organizations deciding to make a financial payment to get a system back online may find that they are labeled by the hacking community as a source of easy money and risk repeat attacks. Those that don’t choose to pay may deal with extended system outages, time consuming data recovery procedures, lost data, and potential impact on patient safety.

Promptly after an incident, many healthcare executives first think of factors such as what happens to the data itself and how to get their IT departments to stem the attack. While these tactical responses are required in the short-term, there are longer-term impacts that should be addressed ahead of time. In reality, the effects of a cybersecurity breach can impact a company for years-from aspects like litigation, loss of intellectual property, brand reputation, and loss of patients/members.

Next: Tip #4

4. Respond and recover appropriately

Initially, many businesses respond to breaches reactively, requiring near-term decision-making by business leaders to identify, isolate, and neutralize an intrusion. However, this phase typically comprises only 40% of the total costs of a breach. For companies to be truly resilient, they need to also plan for the “below the surface” factors that occur in the months and years after a breach.

Factors like lost contract revenue, devaluation of trade name, and lost value of customer relationships can weigh heavily on a business and are relevant to an organization’s C-suite, from marketing to sales to public affairs and legal departments. To potentially mitigate a multibillion-dollar incident and reduce the damage of a breach, healthcare executives should adopt a sound risk management practice, which can help them prioritize resources and balance priorities.

In particular, having a well-defined and practiced incident response and mitigation plan can make the difference in the impact and severity of a cyber incident.

A good plan will determine specific actions and ownership, such as:

• Which aspects of an incident are covered by an existing cyber-insurance policy;

• Which scenarios activate the plan;

• When to get legal counsel involved;

• How to cover media response and which types of breaches trigger a mandatory response to customers and regulators as mandated by federal regulations.

It’s important to first step back and identify the biggest exposures. Understanding which threat vectors pose the largest risks to an organization can help executives prioritize and allocate resources appropriately. Cyber wargaming exercises are one way business leaders can get a sense of how a breach would actually play out and understand how effective their incident response plan actually is.

It starts at the top

Cyberattacks against healthcare organizations aren’t just likely-they are inevitable. Healthcare executives cannot sit on the sidelines and leave this pervasive business issue to IT departments to solve alone. The organization and industry should work together to effectively prepare for, detect, and respond to the increasing number of cyber incidents.

By understanding the organization’s cyber risk profile and proactively exercising their cyber incident response plan, healthcare executives can help protect their organization’s most valuable resources and recover faster from a cyberattack.

Mark Ford is risk and financial advisory principal and life sciences and health care cyber risk services practice leader at Deloitte & Touche LLP. Jeff Bird is risk and financial advisory senior manager, cyber risk services at Deloitte & Touche LLP.