Calling all professionals in the healthcare industry!
2015 was not a good year for your industry in terms of cyber-attacks. For instance, we learned from Ponemon that criminal attacks in healthcare increased by a whopping 125% from 2010, making criminal attacks the leading cause of data breach in the industry.
As if matters couldn’t get any worse, 2016 brought the finding that nearly 90% of healthcare organizations represented in another study by Ponemon had experienced a data breach in the past two years. Obviously, any organization, no matter the size, in the healthcare industry is at risk. But, why this specific industry?
An Industry at Risk
Cyber-attacks in the healthcare industry are increasing – but why? Basically, healthcare organizations provide a treasure trove of data that can be used for crimes like identity theft. Information compromised as a result of a security breach often includes medical files containing personal health information of employees and patients, payment information, and insurance records. In order to identify reasons as to why so many security breaches are occurring in this industry, multiple studies and surveys have been conducted to pinpoint the root causes of these issues.
1. Employee negligence
While criminal attacks are still the leading causes of data breaches in the industry, many security issues have been caused by employee negligence. For example, an employee may accidentally mishandle electronic patient information on a company computer, say by opening up an email or attachment that contains malware that then compromises confidential information. While a small amount of security breaches are caused by insiders with malicious intent, a majority of employee mishandlings are a result of unintentional careless actions.
The Solution: Employee Training
Because of high profile data breach cases being covered in the news, healthcare organizations are taking extra precautions to lessen data breaches caused by employee mistakes. According to Ponemon, healthcare organizations are increasing training of employees to educate and prevent security missteps.
2. Third-party security breaches
Nowadays, nearly every company utilizes partnerships with third-party vendors to keep business running smoothly. Despite the convenience of third-party services, outside vendors pose a significant threat to security if proper vendor management precautions aren’t implemented. In 2015, incidents in the healthcare industry attributed to third-party vendors skyrocketed 56%, according to PwC. This is due to the fact that healthcare organizations often lack the time and expert staff necessary for performing comprehensive vendor assessment and monitoring.
The Solution: Vendor Management Services
In Ponemon’s Sixth Annual Benchmark Study on Privacy & Security in Healthcare, 51% of healthcare organizations admit that their networks are likely vulnerable due to their lack of attentiveness to third-party security. Sometimes it’s best for organizations to let security companies (like us!) manage and assess their vendors. For example, our staff has expertise and a unique understanding of security that allows us to accurately identify security risks with third-party vendors in any industry. This way, healthcare professionals experience a peach of mind knowing that their vendor assessments and monitoring are being properly performed. After all, 41% of healthcare companies attribute data breaches to third-party errors, making third-party security the second leading cause of data breaches behind criminal attacks.
3. Hackable medical devices
Remember when I said 2015 wasn’t a great cybersecurity year for healthcare organizations? This was due to the stunning revelation that a medical device, an infusion pump, was susceptible to hacking, according to PwC. Hackers could potentially administer a fatal dose of medication through the pump should it be hacked. In today’s digital age, mobile apps and medical devices become compromised once connected to the internet.
The Solution: Know the Risks
Regulators are aware of the dangers a hackable medical device poses. The FDA has warnings and guidance documents in place that advise manufacturers and healthcare organizations to only allow trusted individuals access to their networks.
4. Criminal attacks
Data breaches are frequent in the healthcare industry, and their root cause are criminal attacks. Increasingly under target, 50% of healthcare organizations report their security breaches as being caused by criminal attacks, according to Ponemon. This makes criminal attacks the leading cause of data breaches in the healthcare industry.
The Solution: Security Risk Assessments
Security risk assessments are necessary for companies that take their network security seriously. Our Security Risk Assessment services involve identifying, assessing, and prioritizing security risks facing your organization. It’s beneficial to have companies like us perform security risk assessments so no holes in your network are overlooked.
Considering all the security challenges facing healthcare organizations, you’d think their budgets dedicated to security services would increase, right? Wrong! Healthcare organizations are fully aware of security risks facing their field, yet budgets for security have stayed the same or even decreased for many organizations in the industry, according to Ponemon.
The Solution: Awareness
Most of the time, the reason companies don’t spend enough on cybersecurity is because of a lack of awareness. Professionals outside of the cybersecurity industry lack a deep understanding of security risks and how to fully prevent data breaches. On the other hand, cybersecurity isn’t just about preventing attacks, it can be about leveraging data to better your business. Feel free to ping me to discuss how cybersecurity services work to better the healthcare industry, and avoid these healthcare cybersecurity risks.
by Paul Dusini
Information Assurance Manager
Paul Dusini is the Information Assurance Manager for NuHarbor Security. He has more than thirty years of experience helping organizations successfully and safely use information systems to support business goals. He is an experienced CIO and Risk Manager and is certified in security management (CISM) and risk management (CRISC).