In 2015, cybercriminals increased their focus on one of the largest sectors of U.S. economies, exposing over 100 million records to those who wished them harm. Unlike the financial sector, which had invested heavily in security, this sector remained relatively open to attack. And they did so despite the fact that over the past 20 years governments had tightened regulations around the requirements for security and accessibility of their data and in the face of hefty fines, topping millions.
This sector is the healthcare sector and flashforward four to five years and little has changed in healthcare security. This sector is still poorly invested in securing patient records despite living under the shadow of HIPAA and even greater risks to PHI. They are still largely unaware of the risks and failing to account for these real risks during HIPAA required risk assessments.
What Does the Modern Cyberattack Look Like?
When you think of a hacker, you may envision a lone wolf holed up somewhere in their apartment, sweating over endless code, engaged in thousands of failed attempts to break into your systems. Their purpose? It varies from personal gratification to recognition in their hacker community to exposing patient data for a profit.
But this is not what the modern cyberattack is all about. Modern cyberattacks are carried out with precision by mafia-like organized crime outfits around the world. They have the best technology and people working for them. And they’ve learned where the money is. It’s not found in selling customer data. It’s found in holding that data for ransom, locking you out of your own systems, preventing you from meeting the accessibility section of HIPAA.
And unfortunately, too many institutions faced with complete loss of their records just pay up. In fact, just recently, it was announced that a city in Florida will be paying $600,000 in hopes that cybercriminals will release their records.
Ransomware hacks like this one aren’t the only threat to healthcare security, but they are certainly one of the most costly faced by healthcare executives today.
What Is the Scope of the Security Risk?
The risk isn’t small. And you’re not unlikely to experience a major attack.
In fact, in the past 10 years, nearly 200 million patient records in the U.S. have been threatened by attacks like these. Every single day at least one healthcare security attack is reported.
What Are the Top Barriers in Healthcare Security?
One of the top barriers reported in healthcare institutions is lack of buy-in at the executive level. It’s hard for many IT departments to effectively communicate these risks with leadership in order to secure adequate funding for healthcare security.
The risk to patient records isn’t clearly understood. Often companies find themselves spending much more money in “cleanup” after an attack rather than proactively assessing their risks and investing in solutions before they come face to face with a cyberattack scenario.
Because of the lack of understanding and limited funds, money gets spent elsewhere as IT infrastructures become more and more vulnerable year after year. But you can end this cycle by beginning to take steps in the right direction.
How to Build a Plan to Battle Healthcare Cybersecurity Threats
To begin, acknowledge that these kinds of threats are real, pressing, and costly. Do the research and speak with security professionals to better understand what these risks are.
Bill Tobey from HitsTech, a Raleigh IT services company focused on healthcare in North Carolina shares a recommended plan for healthcare providers:
- Assemble your team. If you don’t have the in-house expertise (most healthcare facilities don’t), then establish contact with IT and healthcare security experts who can collaborate with your onsite team to secure your systems. It’s very important that the security team has experience specifically in healthcare because of its unique risks.
- Assess your level of risk and types of risks throughout the organization comprehensively.
- Come up with a budget that reflects your level of risk.
- Design a comprehensive strategy. Don’t spend everything in one area. Cybercriminals know how to exploit the weakest link.
- Begin to close the gaps in security. Go for the low hanging fruit, but also prioritize. A healthcare security expert can help you do this cost-effectively and efficiently.
- Get your data backed up as fast as possible. Healthcare cloud providers have invested heavily in security. They understand the risk. Backing your patient data up on a trusted cloud server regularly means that a cyberattacker can’t hold inaccessibility over your head in order to extort a ransom.
- Don’t forget to get those Business Associate Agreements (BAA) signed before allowing a 3rd party to access your data.
- Now that you’ve addressed what you can do immediately to secure data, begin developing longer-term strategies to ensure you’re ready for the future as cybercriminals continue to improve their tactics.
This is no small project, but with the right people in place, you can accomplish your healthcare security goals to protect patients. A healthcare IT company that specializes in healthcare security can help you assess your true risks, understand the scope of those risks and begin strategically putting systems in place.
By getting informed and taking action, you can reduce the risk to patient records and continue to protect the patient’s right to privacy and accessibility.