Under attack: Arm yourself against hackers
While recent attacks on Anthem, Community Health Systems, Premera and CareFirst helped focus awareness on the importance of cybersecurity, many healthcare payers and providers are still mired in outmoded or unfocused strategies and thus remain vulnerable.
The U.S. healthcare industry is struggling to keep pace with an ever-widening number of global threats being perpetrated by increasingly sophisticated cyber criminals.
Criminal attacks in healthcare are up 125% since 2010 and are now the leading cause of data breach, according to a recent study by the
Experts say that unless healthcare organizations utilize strong approaches to manage risk and protect data, the potential costs could be staggering.
Mounting concerns
In April 2014, prior to some large publicized attacks, the FBI issued a private industry notification, warning healthcare providers that their networks were too lax compared to other industries. Some industry experts worry that the situation is much the same more than a year later. “They’re just being sloppy,” chief executive officer Mac McMillan of
“Once you get beyond the shock factor [on recent healthcare data breaches], you wonder ... 'Why did people have all this information?’” says McMillan, who also chairs the
He cites two paradigms in play: For payers, having accessible data is a business driver. For providers, patient care and safety come first and everything else, including cybersecurity, is second. Yet in both scenarios, a rapid response when a breach is suspected is of the essence, says McMillan, former director of security for the U.S. Department of Defense. CareFirst executives had “holes in their security approach,” he asserts, since CareFirst saw anomalous behavior months before the breach but didn’t follow up until after other payers’ breaches.
Related:
“There’s nothing that healthcare is dealing with that other folks haven’t dealt with already,” McMillan says. “The same person that shows up at your hospital to work is the same person that worked yesterday in retail ... The only thing special about healthcare is the operational aspect of care to the patient-so you err on the side of caring for the patient first, not protecting the data.”
Nationwide, data breaches could be costing the healthcare industry $6 billion, says the Poneman Institute report issued in May. That total arises from two factors: The average cost of a data breach for healthcare organizations is estimated to exceed $2.1 million, and 91% of organizations have had a breach, with four in 10 having had more than five breaches over the past two years.
“There are only two types of [healthcare] organizations right now: Those that know they’ve been breached and those that don’t know they’ve been breached,” says Rick Kam, president and cofounder of
Broadly speaking, cyberattacks are frequent and swift. Five malware events occurred every second in healthcare in 2014, according to Verizon’s 2015 data breach investigations report.
Email phishing has been increasing since 2011, Verizon says, and in 60% of cases, cyberattackers compromised an organization within minutes-with organizations’ response time lagging well behind. Healthcare was among the most affected industries for “insider misuse” and errors made by internal staff-notably system administrators-such as sending sensitive information to incorrect recipients.
It also isn’t a matter of cyberattackers only trying to topple giants. Experts say no healthcare organization, regardless of its size, is immune from cyber risks.
Internal server error