Healthcare organizations are all too familiar with data breaches, which have been rapidly increasing in the sector for the past ten years. According to HIPPA Journal, healthcare data breaches are now reported at a rate of at least once a day. This is hardly surprising, given the increasing sophistication of attacks, the proliferation of 5G and connected devices, and the high value of healthcare data on the black market. Personal medical records can sell for hundreds – sometimes thousands – of dollars on the black market, making them highly enticing for hackers.
At the same time, healthcare companies are under increasing scrutiny, and they face significant penalties when they fail to adequately protect patient data. A recent report from IBM Security and Ponemon Institute indicates that healthcare data breaches now cost around $6.5 million on average, including customer record recovery costs, customer loss, and regulatory fines. Some organizations, such as the American Medical Collections Agency (AMCA), have been forced into bankruptcy by the sheer burden of these costs.
Given the intense pressure that the healthcare industry has faced and the steps that healthcare organizations have taken to protect themselves, the sector offers valuable data security lessons – and the reality is that virtually all sectors will face ever-increasing risks in the ever more sophisticated cyber landscape. Any business that hosts valuable customer data – from retail to financial services – is a target for hackers and can suffer huge losses should a breach occur. Examining the threats facing the healthcare industry can help companies across all sectors gauge where threats exist and how to combat them.
Where do data breaches originate?
At the broadest level, cyber threats fall into two main categories: internal threats and external threats.
Internal cyber threats can arise from a number of sources. For one, breaches tend to increase when organizations transition from legacy data systems to newer systems. The regulatory environment in the healthcare industry requires organizations to shift vast amounts of patient records to newer systems to increase security and operational efficiency – which is a good thing in the long run, but can easily lead to mismanagement in the short term. Even when technology updates are not mandated by a regulator, organizations (both within and beyond the healthcare sector) may feel pressured to adopt the latest technologies. While this can be an effective step, since newer systems are less vulnerable to threats when implemented correctly, organizations should take care to ensure that they allocate adequate resources to such upgrades.
Importantly, the risk of a data breach does not stem solely from gaps in technology. Organizations frequently see employees fall victim to, and in some cases actively cause, data breaches. Facing long hours and a fast-paced environment, more than one fifth of employees in healthcare organizations admit to being careless in basic cybersecurity practices, such as protecting usernames and passwords. Perhaps more shocking is that almost twenty percent of healthcare employees admit they are willing to steal and sell patient data for the right price, representing significant insider threat.
Externally, organizations across industries face ever evolving and more sophisticated attacks, compounded by the fact that professionals are often unaware of how to best protect themselves against the latest cyber threats. In the healthcare industry, for example, the majority of healthcare IT professionals still view network defenses as their best defensive option, even though experts report that these defenses have been rendered less effective by new technology. More effective data protections, such as defenses for data-at-rest (inactive data stored in a physical drive), continue to receive significantly less funding than outdated and increasingly ineffective approaches.
This suggests that even sophisticated organizations with much at stake may remain vulnerable to spear fishing and zero-day exploit attacks, which are almost impossible to avert with only network-based security controls. Spear phishing attacks will target specific individuals within a company with highly compelling and accurate electronic communication, asking them to take a specific action, while zero-day exploit attacks demonstrate attackers’ ability to exploit a weakness as soon as it’s discovered in the software. These types of attacks require a more comprehensive approach, from training employees to ensuring that all company systems and software are up-to-date.
Protecting data and digital systems is still considered a largely reactive measure across industries, and security is perceived as an overhead cost. Few companies believe they will actually encounter a major breach, and therefore make the minimal investment necessary in proactive security measures. Most healthcare security budgets make up only 0.5% to 1% of revenue. However, as the frequency and sophistication of cyber threats evolve, organizations will find that their investment in security needs to evolve, as well.
What does an effective cybersecurity program look like?
There is no one-size-fits-all approach to developing a proactive data protection plan. Many factors need to be taken into consideration, including the size of the organization, budget, and the type of technology. Organizations in any industry can frame a proactive cybersecurity protocol using these key tenets:
- Develop a multi-layered and cross-functional crisis plan before a breach takes place. Most effective crisis and response plans are enacted before an incident takes place. To ensure they are prepared with a comprehensive plan, companies should begin by conducting a full risk assessment to discover what technological evolutions are happening and what vulnerabilities exist within their organizations. It’s important for these assessments to be conducted across all departments to prevent intrusion and slant attacks from any one department that may create an access point to sensitive information.
- From that assessment, companies should build a threat intelligence collection, dissemination, and mitigation protocol with additional security around data sets, especially around data-at-rest and data-in-motion (data moving from one location to another). This protocol should be tested regularly to keep up with the evolution of threats and changes in personnel.
Based on the results of the initial risk assessment, the company should also have a plan for how to respond to a breach when it does happen, including a strategy for communicating with the Department of Homeland Security, Federal Bureau of Investigation, and the public at large. Lack of transparency or downplaying the impact of the breach will result in even bigger risks for the organization.
Throughout this process, it is important that the company develops and emphasizes the business case for its security activities – while buffering security infrastructure may now appear as an overhead cost, it will save significant sums in the long run.
- Ensure that partners and vendors have data protection systems. A company is as vulnerable as the third parties it works with. That’s why it’s essential to conduct vulnerability assessments of third parties, including collections and retained counsel. For example, in the event of litigation against a healthcare company, law firms are very likely to be in possession of HIPPA or other personal private data. If the law firm is vulnerable to an attack, then so is the healthcare organization.
- Create training programs for employees. Ensuring that employees are well-acquainted with best practices and basic security protocols can go a long way in preventing human error, basic phishing attacks, and password mistakes.
Security protocols should address insider threats by conducting regular and random background screenings, implementing access controls to keep out non-essential personnel, and regularly auditing how much information access to grant employees.
A total risk perspective is required for an effective plan
To stay ahead of today’s evolving risk landscape, organizations need to undergo significant shifts in mindset. First, it is important to understand that data protection is no longer the sole responsibility of the IT department. A cyber threat will compromise the entire organization and is seldom only the result of network or technology failures. Often, there is a human element, such as fallibility to social engineering, carelessness, or insider threats. It’s essential to bring a broader enterprise risk management perspective that will address overlooked security challenges across departments and functions.
The second shift requires an understanding of the need for a proactive approach to risk management. Effective risk management is forward thinking, ahead of emerging threats, preventative, and takes into consideration the business impact as well as potential worst-case scenarios. Being a “moving” target can help organizations tap into the tremendous benefits to be gained from working with big data, while minimizing potential vulnerabilities.
These shifts will start companies down a path toward developing a total risk perspective where threats are determined, risks are assessed, potential business impacts are analyzed, and comprehensive plans are developed. From there, they will have a roadmap that can help mitigate risks now and for the future.