By Sean Nobles, NaviSec
All healthcare organizations face growing threats from data breaches and cyberattacks, yet many small-and-midsize enterprises (SMEs) are caught off guard when they find data has been compromised. Lulled by the belief that they lack the high-profile data status to interest an attacker, these organizations leave themselves exposed to significant threat. Because security frameworks in SMEs are often deficient, cyber criminals consider them prime targets.
While the industry at large is working to get ahead of the cybersecurity challenge, the statistics remain alarming. For the first six months of 2019, almost 10 million patient records were impacted by healthcare data breaches in the U.S. Notably, breaches soared to 1.5 per day during the months of April and May with network server and email attacks accounting for most of the events. In addition, it’s worth noting that ransomware and malware made a comeback as a means of breach when compared to 2018.
The complexities of cybersecurity are overwhelming for many physician practices and other small healthcare organizations, which often lack the resources and in-house IT staff needed to get ahead of security challenges. The common practice of hiring an IT consultant on an as-needed basis has not improved the outlook. Without dedicated IT professionals who understand the specific vulnerabilities within a practice, organizations leave themselves open to attack. Perhaps more importantly, the attack surface continues to grow as the number of connected medical devices swells.
In the face of growing cybersecurity complexities and dangers, it’s easy for healthcare organizations to feel helpless, but the situation isn’t as bleak as it may seem. The best first step is to evaluate the threats for your unique organization and start small. Cybersecurity will always be a concern, so physicians should view it as an ongoing process rather than set and forget. Consider, too, the following overlooked aspects of cybersecurity among healthcare providers.
Employees Often Pose The Greatest Threat
We often think of cybersecurity as a solely technological issue, but people are an important part of the security equation. Staff members who fail to understand and follow security protocols pose a tremendous vulnerability to healthcare practices. The FBI calls humans the weakest link in any system but points to their value as the first line of defense in protecting your organization. Regular education and security reminders keep employees involved in securing protected health information (PHI).
Also remember that the people who work within your organization are closest to your PHI and require the same oversight an organization gives their IT systems. In 2018, 28 percent of data breaches originated with insiders, which included human error and intentional wrongdoing. In one instance, the problem of a snooping employee went undetected for 15 years because such events are difficult to detect.
Prioritizing Cybersecurity Costs Far Less Than Addressing A Data Breach
The consequences of a data breach impact the provider, the patient and the organization as a whole. Publicized breaches may result in fines, reputation damage and the eventual need to protect against future data breaches.
The healthcare industry suffers the highest data breach mitigation costs at an average of $6.45 million. The average cost per record breached is $429 per record, compared to $210 in the financial sector, which faces the second-highest breach cost. Healthcare breaches cost 65 percent more than those in other industries. In extreme cases like the Brookside ENT and Hearing Services case, cyberattacks can result in the closing of a practice.
Implementing Cybersecurity Begins With Simple, Strategic Steps
Security is a journey, not a destination. Cybersecurity offerings change weekly, and cookie-cutter solutions fail to address the specific needs of each individual healthcare organization. The breach trends for your sector may be different from those of another segment of the market, so it’s important that you evaluate your own situation before seeking solutions.
To start, work with a partner to set up a vulnerability assessment that will simulate potential attacks in order to identify your practice’s weaknesses. Once you’ve identified vulnerabilities, choose a provider that can customize the solutions to best addresses them. Recognize that many healthcare organizations mistakenly choose low-cost options as a quick fix without regard to the long-term effectiveness of those solutions. This approach ultimately results in more costs down the road.
Your cybersecurity partner should help you implement the right-sized protection for your business operations. And because the landscape changes constantly, your system must identify and address emerging threats and go beyond basic compliance. As of June 2019, email was the most frequent location of breach within healthcare organizations, and ransomware — which had fallen out of favor — re-emerged as a recurring danger.
Healthcare organizations must stay ahead of the threats by adopting a comprehensive approach to cybersecurity. Customized approaches to cybersecurity keep costs low by filtering out unnecessary tools. They balance local operational and security needs so that healthcare organizations don’t have to sacrifice function for the sake of security.
As physicians strive to maximize their time and resources, cybersecurity must be part of the conversation. Strategic cybersecurity protection allows physicians to minimize the potential for mistakes and implement a long-term solution for security.