Cybersecurity mistakes plans, providers should avoid

Health plans and healthcare organizations are increasingly facing threats from cyber criminals. In 2015, more than 120 million patient records were compromised due to cyber breaches, according to the December 2015 "Data Breach Report" from the Identity Theft Resource Center (ITRC).

Those breaches take a heavy toll, with the average cost of a data breach for healthcare organizations reaching $2.1 million last year, according to the Ponemon Institute.

The good news is that there are some things healthcare organizations can do to increase their changes of preventing a breach, and much of that comes down to avoiding the mistakes that make your organization more vulnerable.

Here are nine common cybersecurity mistakes your health plan or healthcare system should avoid.

Compared to other industries, many healthcare organizations don't adequately invest in security leadership. They also have difficulty finding leadership talent in this area when they do seek it out, according to a recent article by Sean Curran, director in West Monroe Partners’ security and infrastructure consulting practice, and Will Hinde, senior director in the consulting firm's healthcare practice. Curran and Hinde cite an early 2015 study that found that 86% of organizations feel there's a global shortage of skilled cybersecurity professionals.

They say lack of cybersecurity leadership at healthcare organizations can lead to problems such as:

• Lack of a board presence or advocate on cybersecurity issues;

• Physicians and other personnel ignoring security concerns until a crisis strikes; and

• Mismanagement and internal vulnerabilities.

In addition to leadership gaps, many organizations lack the proper security tools, according to Curran and Hinde. They cite a Forrester research finding that insurance organizations, hospitals, and doctors, devote only 14% of their IT spend to security concerns. Health organizations, they say, should invest more in cyber defense tools, and in ensuring that those tools are integrated successfully in their daily operations.

According to a report by Spector Soft, the most risky users in an organization include managers with access to sensitive information, and contractors and consultants, who are often temporary workers. Make sure your employees are thoroughly educated on security risks and vulnerabilities, particularly when it comes to social engineering attacks such as phishing messages. The Spector Soft report says that inadvertent data breaches account for 57% of insider threats, while malicious data breaches account for 53% of insider threats.

Mobile device security accounted for 40% of worries reported by healthcare organizations in 2014, according to Caradigm. With more organizations allowing employees to use their personal devices for professional purposes, that concern is warranted.

To ensure information is secure make clear distinctions on how personal mobile devices can be used through a bring your own device (BYOD) policy, Mike Willingham, vice president of quality assurance and regulatory affairs at Caradigm, recently toldManaged Healthcare Executive.

While most organizations conduct regulatory mandated risk assessments, many fail to act on the findings, according to Curran and Hinde. They recommend that organizations identify the most critical deficiencies upon completing risk assessments, and then commit the necessary resources toward addressing them.

Similar to lacking appropriate leadership, healthcare organizations lack the necessary in-house IT staffing, said Curran and Hinde. "Without ample investments in advanced tools and human capital, a firm's internal cybersecurity staff and systems will always be deficient," they wrote. They recommend that healthcare systems consider bringing in independent security professionals or relevant software and hardware vendors, as third-party providers can help organizations identify (and plan around) their security needs and expenses.

Don't assume that the information stored on the cloud is safe, Mounil Patel, vice president of strategic field engagement for Mimecast, recently told Managed Healthcare Executive. He says that because of the large amount of customers many cloud-based vendors have, hackers can steal a lot more data in less time.

The average healthcare organization uses 928 cloud services, and only 7% of those meet enterprise security and compliance requirements, according to Skyhigh Networks. This means that most of the applications used in healthcare could be providing a risk.

Healthcare records, which can include financial data, can garner up to $20 or more per health on the black market, compared to $2 per credit card record, according to WEDI. And, as more data is in flux as healthcare organizations exchange and combine healthcare information, the risk of having that data exposed increases.

Any time a plan aggregates large data sets, it likely establishes a large "surface area of attack" from a security threat perspective, Willingham told Managed Healthcare Executive.  "This requires a robust security strategy to assess the threats and establish controls and monitoring to manage the data, both in transit and at rest.”

Many organizations make the mistake of focusing only on compliance with privacy regulations, such as HIPAA, rather than understanding how those rules apply specifically to their organizations, say Curran and Hinde. "It isn't safe or practical to let cybersecurity practices be steered solely by regulatory mandates; organizations should embrace patient data protection for its own sake, and ensure that the resulting processes fulfill HIPAA requirements,” they wrote in their article.