The healthcare sector could be on the verge of a cybersecurity crisis. The findings of a study from Ponemon suggest that consumers have a misplaced confidence in the ability of healthcare providers to keep their personal information safe. Two-thirds said they trust providers to protect their data, while only a quarter trust credit card companies. In reality, healthcare organisations account for 34 per cent of all data breaches, while financial organisations account for only 4.8 per cent (IRTC Data Breach Report). Organisations that don’t take action to close the gap between reality and consumers’ expectations are risking significant damage to their reputation and financial strength.
Healthcare hacks are on the rise. The industry suffered 450 data breaches in 2016, up from 253 in 2015, according to a report by Protenus. Their impact on patients and providers can be tremendous. In 2015, US insurance company Anthem Blue Cross suffered the largest healthcare breach on record, when 80 million patient records were compromised, costing the business $115m in settlements. This year’s WannaCry ransomware attack hit around 40 NHS trusts and their hospitals. Hackers gained access to computers and effectively shut down the entire system, which led to operations and appointments being cancelled or postponed. The emergency measures put in place to address the attack cost around £180,000.
The main cause of healthcare breaches is unauthorised access or disclosure, resulting either from insider threats – employee error, negligence or criminal activity – or external threats, in the form of hacking, skimming and phishing.
The patient data goldmine
Healthcare organisations are a prime target for cyber attacks because of the lucrative personal identifiable information (PII) held in the records they keep, which can be used for identity theft. In the US, there have been reports of medical records selling for $5 apiece on the black market.
The industry is also widely perceived as easy to infiltrate due to having rather weak security technologies and processes. The size and distributed nature of the NHS, combined with its disparate systems and software, lack of resources and possibly inadequate incident response plans, have been cited as potential reasons for its vulnerability to the WannaCry attack.
The impact of a data breach
Half of all consumers have been notified by an organisation that their personal information has been lost or stolen as a result of a data breach in the past two years, according to the Ponemon study. As a result, 65 per cent lost trust in that organisation, and one in four ended their relationship with it.
The same study found that the stock value of 113 companies declined an average of five per cent the day a breach was disclosed, resulting in millions of pounds of losses. They also experienced up to a seven per cent customer churn.
A shot in the arm
Financial organisations appear to have a better understanding than healthcare providers of the value of the information they manage, spending two to three times more on cyber security according to the SANS Institute. Healthcare must catch up.
Mobile working, increasingly complex supply chains and the use of cloud-based services mean organisations no longer have a well-defined ‘boundary’ around the data they hold. As a result, traditional security measures are failing to safeguard against breaches, so organisations must rethink their approach. This is particularly vital in light of the looming General Data Protection Regulation (GDPR), which will impose huge fines on organisations that don’t take adequate steps to secure the personal data of EU citizens.
With so much at stake, cybersecurity can no longer be viewed as an IT problem. It’s a business problem – and senior executives must be involved in developing and implementing a holistic security strategy designed to protect brand credibility, customer loyalty and profits.
There are a number of best practice steps a healthcare organisation can take to strengthen its security posture.
Appoint a dedicated chief information security officer (CISO). It’s their role to educate the board in the merits of investing in appropriate security defences.
Invest in people and technologies. Adequate budget must be allocated to invest in skilled staff and up-to-date security enabling technologies. Access is healthcare’s Achilles heel, so implement an integrated identity platform that will manage, monitor and protect privilege access and credentials for all users, applications, endpoints and infrastructure.
Plan for the worst. An effective data breach preparedness plan is critical. This should include procedures for communicating with investors and regulators.
Build a culture of security awareness. Employees with access to high-value data are a potential chink in your armour. Training and awareness programmes will increase their understanding of the risks and threats, and get everyone working together to protect information.
Carry out regular vulnerability audits. Assessments will identify any security holes in a computer, network or communications infrastructure, so they can be addressed.
Participate in threat sharing programmes. Similar organisations can often be targeted by the same threat, so collaborating with partners and companies you trust can offer a better and often faster way to prevent and detect attacks.
Patient information is becoming more valuable and attractive to cyber criminals. So far this year, breaches are on track to top 2016 totals, with well over 25 million individual records already exposed. A comprehensive security strategy is the only way to defend the organisation against attack, by preventing unauthorised access to and disclosure of data, and ensuring the confidentiality, integrity, availability and resilience of systems and services.
Bill Mann is senior vice president of products and chief product officer at Centrify, where he is responsible for product strategy product management and product marketing. Prior to Centrify, Mann held various management and product management positions across the software security spectrum at CA Technologies, as well as senior executive positions at Volera, Novell, Juston and Worldtalk. Mr. Mann has also played a lead role in M&A activities, spearheading multiple acquisitions, product introductions and funding drives. He holds a Bachelor of Science degree with honors in Computer Science from Aston University in England.