It seems you can’t swing a stethoscope around lately without hitting a story about healthcare cybersecurity measures being compromised.
From ransomware paralyzing hospitals, to data breaches releasing protected health information (PHI), healthcare organization have proven particularly susceptible to cyberattacks. A recent Ponemon Institute report revealed that, on average, healthcare organizations surveyed have experienced almost one cyberattack per month over the last 12 months.
A joint Vormetric/451 Research survey of 1,100 senior IT security executives at more than 100 U.S. healthcare organizations turned out similarly frightening numbers. Sixty-three percent of executives said they had experienced a data breach, with one in five reporting a breach in the last year. Almost everyone surveyed (96%) said they felt vulnerable to data breaches.
And it’s not all malicious attacks. Verizon’s 2016 Data Breach Investigations Report found that physical theft and loss of devices, laptops, and the like, accounted for 32% of healthcare industry cyber incidents in 2015. Theft and loss impacted the healthcare world the most by far, according to the DBIR. Additionally, Verizon’s researchers found employees losing assets was 100 times more likely than theft. Plain old human error, such as sending sensitive information to the wrong person, was also a leading cause of cyber incidents for the healthcare sector.
Time to Start Worrying
If you’re in the healthcare space, these figures should send a shiver down your spine.
Put bluntly: the stakes could not be higher when it comes to healthcare cybersecurity. Lives hang in the balance when malware finds its way into a hospital network and wrenches control away from doctors and nurses. Breaches of PHI can be just as impactful. Researchers with Verizon Enterprises report that patients will sometimes withhold medical information from their physicians for fear of exposing it to a breach.
Unfortunately, multiple lines of evidence from InfoSec research suggest that healthcare facilities may not be the best positioned to respond to shifting cyberthreats (both malicious and accidental).
Case in point: yet another Ponemon survey (prolific, aren’t they?). This time, researchers polled 91 covered entities and found that the majority of healthcare organizations have not invested in the technology needed to mitigate a data breach, nor hired enough InfoSec professionals to fill their ranks. Nearly 60% of healthcare organizations have doubts that their security budgets are big enough to lessen the damage of a breach.
“Although there’s been a slight increased investment over last year in technology, privacy and security budgets, and personnel with technical expertise, the majority of healthcare organizations still don’t have sufficient security budget to curtail or minimize data breach incidents,” the Ponemon researchers write.
Another data point: the Vormetric/451 Research survey uncovered an over-confidence in the safety net of compliance among the senior IT executives polled. Sixty-nine percent told researchers that they view meeting compliance requirements, such as HIPAA and PCI-DSS, as a “very” or “extremely” effective way to protect sensitive data.
Unfortunately, this view does not match with reality. HIPAA laws requires only annual training—but that’s as far as they go. You can technically be HIPAA compliant with any once-a-year, off-the-shelf course, but we’ve seen that this is not enough. Garrett Bekker, senior 451 Research analyst and author of the report, took the words right out of our mouth:
“Compliance is only a step towards healthcare IT security,” Bekker said in a press release.
“As we learned from data theft incidents at healthcare organizations that were reportedly HIPAA compliant, being compliant doesn’t necessarily mean you won’t be breached and have your sensitive data stolen.”
More than Compliance
Focusing on mere HIPAA compliance makes healthcare organizations a soft target for cyberattacks. Try to see an average hospital through the eyes off a cybercriminal. All that patient personal information just sitting there, waiting to be swiped and resold on the black market. Or, as recent headlines have shown, hospital officials who are willing to cough up a considerable sum to free their network from the clutches of ransomware. Both these scenarios look like dollar signs to an industrious bad actor.
As we’ve written before, relying solely on HIPAA compliance as a safety net can do more harm than good. For one, HIPAA courses often do not include information on how to stay cyber-secure in an increasingly interconnected world. Keeping within HIPAA regulations, while vital, has little to do with knowing how to spot a phishing attack, for example. Analyst Garett Bekker has it right: compliance is only a step toward healthcare cybersecurity.
Additionally, mere compliance does not a risk-aware culture make. In our experience, organizations of all types are best served when their whole employee populations know the importance of sound security principles. Such a state comes from multi-faceted and integrated awareness programs, not just training. Fully-formed awareness programs will allow your organization to figure what sort of education is needed, deploy it in the most efficient way possible, and make available training reinforcement materials, such as posters and games, as needed.
Investing in Humans
So what’s the solution, here? Healthcare organizations cannot expect their doctors, nurses, and other healthcare professionals to carry security awareness around like a stethoscope if they’re not taught to do so. A comprehensive awareness initiative will help keep sound cybersecurity principles top of mind, all the time.
We know healthcare organization budgets are often tight, especially when it comes to cybersecurity. But awareness programs, properly designed and deployed, can offer some of the best bang for your organization’s security buck. With the average cost of a data breach for healthcare organizations topping $2.2 million in 2015, can you really afford not to?