It is no secret that the healthcare industry has been behind in information security advancements in comparison to other industries. With the heavy increase in cyberattacks and security breaches over the last couple of years, the healthcare industry has shown to be no less susceptible to IT security risks than other industries. In 2015, KPMG conducted a survey of 223 healthcare executives and found that nearly 80 percent of their IT had been compromised by cyberattacks. Additionally, according to KPMG, “the healthcare industry is behind other industries in protecting its infrastructure and electronic protected health information.”
Adam Greene of the law firm Davis Wright Tremaine recently said in a CareersInfoSecurity.com article, “Healthcare entities have historically lagged behind many other industries with respect to how much budget is spent on information security. But the last few years have really highlighted the substantial damage that information security breaches can cause, demonstrating a much higher return on investment for robust information security controls.”
Healthcare organizations are among those we trust most, and they handle and store some of our most personal information. This includes medical records, social security numbers, addresses, and pharmaceutical prescription history. The healthcare industry is greatly suffering from several setbacks including low budget, lack of organization in relation to their IT systems, and the use of dated legacy systems. In 2017, potentially more than 1 million patient records across a vast range of healthcare organizations, ranging from insurance companies to healthcare providers, were affected by cyberattacks. One of the most dangerous forms of cyberattacks, ransomware threats appear to be increasing. A medical equipment supplier reported that the data of 500,000 clients was compromised in April of 2017. Data hijacking is becoming a common occurrence among security threats, and it not only results in the downtime of healthcare facilities, but there is also a substantial cost paid for ransom to have the sensitive information released back to the facility. In the interim, patients are put in harm’s way and the trustworthiness of third-party stakeholders, who may have had access to the data, is called into question.
Not only are the ever-increasing security breaches incredibly costly for companies, but they also lead to a loss in credibility with clients and patients. One example of a victim of a security break is Banner Health, who has faced class action lawsuits after a breach led to 3.7 million patients’ information being stolen. The financial and legal fallout from data breaches is costly and not all organizations are able to recover. In the case with the Anthem breach, there were many privacy law violations, and even if stricter encryption had been used, the hackers would have been able to gain secure data by gaining administrative access. This is where the gap in information security is hurting the industry even more: As healthcare organizations lag behind, hackers are becoming more sophisticated and creative in how they steal healthcare data.
In attempting to close the gap within the healthcare industry, an added challenge stems from how large the gap actually is. Only a decade ago, most health records were on paper. Within only a few years, a majority of hospitals switched to electronic records, and amid this transition, the security of digital health data was unable to keep up with the accelerated growth. While other industries, such as financial services and the federal government, have also been victim to cyberattacks, they have devoted more than 12 percent of their information technology budget to cybersecurity. Unfortunately, healthcare has averaged only half of this amount.
The bottom line is, not only is the healthcare industry behind others in closing the technological gap, data breaches in this field are also the most expensive per record stolen. The 2016 Ponemon study done in partnership with IBM found the average cost per stolen record in healthcare to be $355. Because the average cost of a healthcare breach is so high, it is foolish not to make sure a cybersecurity professional is employed at every healthcare organization. While it may seem costly to spend even more of the organization’s budget on IT security, prevention has definitively proven to be more a value and cost saving than a reactive measure can hope to be after an organization becomes victim to an attack.
If you have questions related to Information Security, HIPAA, HITRUST, or other cybersecurity services, reach out to CyberGuard Compliance for help.