Lack of Cybersecurity
Due to the success of previous attacks and the relative lack of sufficient cybersecurity, healthcare is now the most attacked industry by hackers, fraudsters, phishers and ransomware attackers. The problem is the healthcare industry is highly focused at what it does best, providing the best quality healthcare possible. Many of its C-level executives lean towards the healthcare side as well, however only a handful of personnel are tasked with securing the data of the entire company and its patients. Put simply, healthcare data security is not the wheelhouse of the industry. And it shows.
“The industry that is supposed to offer everyone reprieve and look after their well being is under attack from cybercriminals.”
IBM, one of the technology industry’s most trusted and longest running companies, has recently released a report which claims that over 100 million healthcare records were breached in 2015. These records were harvested from 8,000 devices located in more than 100 countries. In the USA, and other countries which have implemented and enforced a health data security policy, such breaches can have hefty financial repercussions. Breaches of America’s HIPAA and HITECH acts carry a minimum of $500 per piece of data that was plucked by the fraudsters. Each of the 100 million plus healthcare records can contain numerous pieces of data, which when extrapolated represents billions of dollars in fines.
While it may be logical for criminals to go after financial institutions, the inherent lack of healthcare security makes it that much more attractive. In fact, financial institutions rank third on the cyberattack hit list after the manufacturing sector. This is, in part, due of the types of data associated with each industry. If you look at it more closely, the financial sector is of course full of financial data, but that’s about it. The healthcare industry, however, is rife with financial, personal and healthcare data. Each type of data can be exploited by fraudsters in a variety of ways. This means the data captured from the healthcare industry is more flexible, more usable, more valuable than the data pulled from financial institutions.
When more than half of the healthcare IT industry professionals reported experiencing breaches, you know you’ve got a serious issue on your hands. 63 percent of IT security teams in the healthcare industry indicated they experienced a breach, and 10 percent experienced it within the last 12 months. And, that’s the people who publicly came out and admitted to the hacks. You can be sure there are many more who are withholding this information in fear of repercussions to their reputation, backlash from patients and shareholders.
Time to Respond
The sad fact is that the overwhelming majority of the healthcare industry moves at a glacial pace. Sluggish reaction times and implementation schedules combined with lack of funding for new technology makes them easy sport for the agile, multi-phase attacks of the modern cybercriminal. Times are changing and the industry is doing a poor job of catching up. They are, in essence, using horses and muskets to fight tanks and jets.
Change is hard, but it needs to happen and the healthcare industry needs it to happen now. To have a fighting chance from plugging the data breaches, healthcare companies will need to invest heavily into IT security. A significant financial investment will need to be made, but that is not the only type of investment. The companies will need to go “all-in” and adopt stringent data security policies and practices that encompasses everyone from the patient reception desk all the way up to the C-suite. Everyone must be made known of the impact lost patient information can have on the company, and the various ways fraudsters, hackers and criminals use to get them. There is a ray of hope, stats show more and more organizations are adopting such methods, but it has been a slow and painful process for a lot of companies. As much work as they are putting into IT security, healthcare organizations are just not agile enough to adapt, not even to the varying attack vectors of the criminals, but of technology itself.