In the first half of this year, the health care industry experienced several hundred data breaches – a quarter of total breaches across all industries. By the third quarter, both the Ponemon Institute and Trend Micro ranked health care as the most at risk industry in terms of cyber-attacks globally.
Keith Banks, health care security practice lead at Optimum Health care IT in Jacksonville Beach, Florida, said information security is the single most important issue impacting the health care industry today. “Currently, the specific threats of ransomware and phishing rank high on the list of priorities,” Banks said. “Health care organizations need to defend against an evolving threat landscape. To do this requires a team of highly skilled security professionals, which most health care organizations are lacking to the extent required to maintain adequate defenses and meet compliance obligations.”
It’s estimated that 90 percent of health care organizations in the U.S. have suffered at least one data breach in the past two years with the average cost of each breach reaching $2.2 million.
“The risk of a data breach continues to be the biggest issue facing health care organizations,” said Carolyn Luther, an executive consultant at FluidEdge Consulting outside of Philadelphia. FluidEdge provides health care solutions for clients ranging from management to IT consulting. One of the key strategies for consultants like Luther is finding ways to prevent breaches before they occur.
“Breaches can occur in a variety of ways,” she said, “be it external individuals trying to steal data – hacking into to networks – or an internal issue that causes data to be released by mistake or an employee committing fraud.”
“An end-user clicks on email and the whole office is affected.”
Chris Johnson, the director of strategy and business development for Untangled Solutions, a Wheelhouse IT company based in Los Angeles, is also a member of CompTIA’s security committee, which focuses on educating IT service providers on ways to better provide services to their client base. Based in Iowa, Johnson works with the HIPAA-compliant company to provide medical IT support to the health care industry for a range of clients – from smaller organizations to large companies.
Johnson said most hackers don’t actually know what they target. “They are looking at IP addresses and exploiting what ports are open,” he said. “We’ve seen when an end-user clicks on email and the whole office is affected.”
CompTIA offers a self-assessment wizard online that can help companies evaluate risks immediately. Banks said having IT security professionals regularly conduct thorough risk assessments can help big and small companies alike navigate the changing threats, and ultimately keep confidential data safe before it’s too late.
He recommended implementing “a layered security strategy” to reasonably safeguard any information against identifiable threats. “In the end,” said Banks, “the information is only as safe as the weakest link, which often turns out to be the human element. Employee training and establishing a culture of security awareness across the organization is another essential factor.”
According to the Verizon 2016 Data Breach Investigations Report, health care actually has the highest percentage of incidents from theft or loss, Breaches can result from everything from weak passwords to clicking on malicious links in an email. Here are some guidelines to avoid problems before they happen:
- Hire a CSO: A top-level cyber security expert will help manage a team of IT professionals and report to upper-level management. Having someone in this role with both IT and executive know-how helps determine budgetary needs for security in conjunction with the corporate culture.
- Educate employees: It is never too soon to start the conversation about IT security with all levels of employees, from data entry to executives. Having the skill-set to avoid common mistakes – like not clicking on a phishing link or malicious attachment – can create a more proactive approach to IT security from the ground up.
- Look into federal resources: Both the FBI and Department of Homeland Security have made efforts to educate health care companies about global cyber risks. Take advantage of the information and services being offered to help create a team with full accreditation and compliance in the industry.
- Start small: Basic security steps can be taken today, like having a trusted firewall in place, updating old equipment and outdated software protection, and securing wireless connections and devices being used by employees to access company data, like smart phones, tablets, laptops and offsite servers.
“Sixty percent of security breaches come down to people.”
Because Johnson said 60 percent of security breaches come down to people, like someone opening an infected email or clicking on a compromised link, the committee is spending a lot of time on education. Johnson said “educating staff” is key. “Just because you think it’s an isolated issue,” he said, “know that it’s real and could happen again.”
One way of reaching staff across the company is through small lunch-and-learns in which an IT specialist walks employees in intimate groups through do’s and don’ts of computer use, providing not only a primer for how not to fall victim to common phishing schemes, but also offering a chance for question and answers that aren’t likely being asked elsewhere.
Companies need to be asking if they are doing enough.
“Many of the health care organizations I currently work with are spending between three and 10 percent of the IT budget on information security,” said Banks. “In contrast, finance, banking and the federal government spend twice as much of their IT budgets on security.”
Practically speaking, a company should consider implementing solutions like two-factor authentication, endpoint advanced threat protection and phishing simulation campaigns. When a massive breach happened at Anthem, the country’s second largest health care insurer, last year, the company had to notify as many as 80 million customers that their confidential information was comprised. It took eight days for Anthem to even realize the breach happened.
With new rules in place for the Affordable Care Act designed to protect health information and electronic records, the need for upgraded security only underscores the changing digital health care landscape. Personal and payment information makes health care particularly attractive to hackers. With so many employees navigating IT systems, the chance for a breach is multiplied by simple human error.
“Not to diminish the need for preventative controls,” said Banks, “but for most organizations it is not a matter of if a breach is going to happen, but when and what will be the consequences. The ability to quickly detect a breach and a well-developed incident response plan are just as important as the investment in preventative controls.”
Natalie Hope McDonald is a writer and editor based in Philadelphia.