No doubt, health care providers’ focus is on caring for patients. In the face of human need, doctors and other medical professionals can understandably perceive business-specific tasks as an obstacle to getting their real work done. But taking care of each patient includes securing his or her private information. Hospital leaders provide a vital service to patients when they build cybersecurity into the culture of their organization.
The first 24 hours after a data breach
Learn how to identify key breach indicators and what should happen when an attack occurs:
Q: Do you recommend cyberinsurance?
A: Absolutely, but you need to be careful to do your research. Some policies are not high quality and don’t offer useful options for transferring risk.
First, identify the sensitive data that needs protection. Not all data needs to be protected equally. Keep in mind that the cost goes up with the level of protection.
One critical element is a policy retroactive date. Confirm coverage of cyberincidents with a history, not just those to come. Many times breaches aren’t discovered until after ─ sometimes many months after ─ they’ve occurred.
Q: How effective is a data loss prevention (DLA) process?
A: DLP is very important. There’s no other way to know where all the sensitive data resides. For one thing, employees put data in different places ─ SharePoint sites, structured databases, locally on computers, etc. These locations change constantly. DLP identifies where it all is at any time.
DLP can set monitoring devices (software “agents”) on servers, laptops, desktops and mobile devices to observe traffic flows. The agents reveal what’s coming into the network and what’s being sent out, and can block or quarantine specific data.
Besides meeting internal needs for the data, DLP helps the organization comply with HIPAA patient privacy regulations relating to electronic protected health information.
Costs and threats are heavy and increasing
Cybersecurity failure in health care costs patients and organizations alike. Patients' names, contact information, birthdates, Social Security numbers, financial information, and diagnoses and treatments are going into the wrong hands at dizzying rates, exposing patients to identify theft and loss of privacy, money and trust in their health care provider.
For the organization, the loss of patients' trust is incalculable. The monetary cost is also difficult to pin down, but a Ponemon Institute estimate puts it at $363 per record
, with payouts for incident response and breach notification, legal defense, regulatory fines and crisis services.
Criminals are following the money
While employee mistakes — carelessness in sending or storing data, and losing laptops and cell phones — are still much to blame, cybercriminals have emerged as the most imminent danger.
The Ponemon Institute study reports that data breaches in health care due to criminal activity comes from malicious insiders, professional and nation-state hackers, and physical theft, and that this activity has increased 125% over the past five years. The sad fact is that in 2014, health care was the leading industry for breaches
(42.5%) compared with other sectors, e.g., business (33%), government/military (11.7%), education (7.3%) and banking/credit/financial (5.5%).
The reason for the escalation is that thieves’ return on health records is big money. Reuters reports that health records are worth 10 times more
than credit card information on the black market.
An accomplice in the escalation is the unique vulnerability of health care providers. Theirs is not a typical business setting — making a profit is not their priority. In taking care of patients, including handling emergencies, a professional might forgo even simple actions like locking the computer. Many health care organizations don’t have up-to-date computer systems with the security features that other industries have instituted. “Criminals discover a veritable treasure trove,” says David Reitzel
, national Health IT leader in Grant Thornton LLP’s Health Care Advisory Services practice. “Family and other personal information, always included in a medical record, can be used to answer security questions to gain entrance into myriad ‘protected’ spaces.”
Prepare to avoid a breach
While collaboration is essential, with the IT department owning the technology tools and other departments making pertinent contributions, oversight remains with internal audit in partnership with hospital leadership. To assure a solid defense, the two must understand the components of preparation:
- Create a risk profile.
- Map and classify data.
- Evaluate vendors.
- Establish security protocols.
- Educate stakeholders.
- Maintain a security culture.
- Identify indicators.
- Form an instant response team.
For example, in establishing security protocols, take practical action — Before a professional travels, issue him or her a laptop not connected to the entire system. If the computer goes missing or is otherwise compromised, unauthorized access is isolated and loss isn’t significant.
See the full report for details about each step in avoiding a breach
Prepare to deal with a breach
No matter how complete your preparation, a breach can befall your organization. The attack on sophisticated health insurance company Anthem is a chilling reminder that cyberincidents can occur anytime
to any organization.
But what Anthem did — and what you can do, too — was to take steps to prepare for a breach and be ready to respond quickly with a plan of action, including having in place an agreed-upon policy and process to support proper communications.
With every reason to expect that cyberattacks will continue to morph and grow in destructive capacity, hospital leadership must give cybersecurity its due position in strategic importance, incorporating it into their business strategy and culture.
for further guidance on cybersecurity issues and actions.