Health plans are top targets for cyber attacks. Fortunately, more are taking steps to prevent a data breach.
Crime dramas on TV are prolific and popular. Breaking Bad, The Wire, CSI, NCIS, Criminal Minds, Law and Order, and True Detective all play on our fears and often feature fascinating villains and dazzling technology. But cybercrime in healthcare is not entertaining. It’s deadly serious.
The Ponemon Institute’s 5th annual privacy and security report fingers criminal attacks as the number one cause of data breaches in healthcare, underscoring the seriousness and prevalence of cyberterrorism and the critical need for cybersecurity.
More than 90% of healthcare organizations and almost 60% of their business associates have experienced a data breach. Virtually 80% of healthcare organizations have experienced multiple breaches since 2010. According to the Office for Civil Rights (OCR), theft accounts for almost half of all cybercrime in healthcare. While credit card records are worth $1 on the black market, healthcare records command 5 times as much, because the rich data provides fertile ground for fraud.
Cybercrime occurs across the board in healthcare, but payers may be particularly susceptible because when criminals hack into an Anthem or Premera they open the floodgates to millions of records and data points almost instantaneously.
The Ponemon report showed that half of healthcare organizations and business associates have little or no confidence that they can prevent a data breach. While I acknowledge healthcare organizations cannot totally eliminate all risk of an incident or data breach, I am encouraged that more are proactively reducing their risk of a cyberattack or breach in a variety of ways, including:
· Beefing up privacy, security and compliance staffing, including in the C-suite, where chief information security officers are advocating for appropriate funding
· Creating, implementing and monitoring stringent policies and practices, including role-based access so staff can only view information on a “need to know” basis
· Conducting annual risk assessments to determine vulnerabilities and gaps and closing them
· Encrypting information at rest and in transit
· Dismantling USB ports on laptops so data cannot be downloaded or stolen
· Ensuring staff are trained and updated in privacy and security on an ongoing basis
· Setting up and monitoring alerts, performing penetration testing and establishing a crisis team and war room to immediately mobilize the resources necessary to stop intrusions and minimize damage
· To adjust to the shifting cybercrime landscape, following roadmaps created by the Office of the National Coordinator for Health IT (ONC) and others to build security and risk sharing into their infrastructure today and down the road
· Having third-party reviews of their policies, procedures, controls and infrastructure including annual risk assessments, intrusion detection, staff training etc. to identify and mitigate gaps and risks
· Buying cybersecurity insurance against being hacked
· Demanding that all their IT vendors and business associates demonstrate third-party review and accreditation for privacy and security
· Factoring security of personal health information automatically into all their innovative medical solutions
Savvy healthcare organizations know they can’t solve cybercrime in a half-hour or hour like must-see crime shows. They know robust cybersecurity takes time, effort and constant vigilance because the stakes are high. Fees and fines can add up, and loss of revenue always hurts, but being splashed on OCR’s Wall of Shame, and losing credibility with stakeholders and customers can cost even more. It can cost you your business.