Is your healthcare data protected?
Written by Todd Friedman, Chief Information Security Officer, ResMed, and Brian Tolkkinen, Director of Information Security, MatrixCare
It may surprise you to know that the healthcare industry is the number one target of hackers.
There are many reasons for this. Patient records, for example, store a lot of information beyond just credit card numbers such as addresses, Social Security numbers, financial account information, medical records, and more. Even medical devices and their data have become desirable for hackers.
Because they include so much personal information, healthcare data records are often worth more than fifty times the price of a credit card number on the illegal market. After all, you can change your credit card information, but you can’t change health information. This raises a crucial question: is your data protected the best it can be?
Healthcare data breaches are a ticking time bomb.
The move to electronic health records and the increased use of telemedicine means providers need to protect systems, information, and operations not only in the interest of patient and employee safety, but also to protect their businesses. Consider these numbers:
- The average cost of a healthcare data breach, per incident, is $9.23 million*
- The average cost of a ransomware attack for all businesses is $4.62 million; the average for healthcare providers is likely higher*
What’s more, healthcare providers in the United States are subject to HIPAA and other regulations that add to the potential impact of a data breach, including significant fines and corporate integrity agreements that require additional investment to fix identified deficiencies.
Add to this the fact that employees are increasingly tired, stressed, and untrained in cybersecurity risks, and you have a ticking time bomb.
Many companies view cybersecurity as an added expense—but it’s nothing compared to what they could lose in a data breach. And it’s not just hospitals that are being targeted. Life plan communities, assisted living, skilled nursing, memory care, and more are all at risk.
It’s vital to follow cybersecurity best practices.
Without expert cybersecurity help, it can be hard for healthcare leaders to know how to begin enhancing their defenses. The proliferation of cyber threats and challenges underscores the importance of partnering with technology providers that:
- invest appropriately and continually in information security
- can be trusted to protect information and health records
- are proven to protect patient privacy and safety
- do their part to protect the provider’s business
It’s difficult to recover from any type of disaster. But if you’re hacked, then you also have trust issues, so it’s even more devastating.
How to build a successful enterprise-grade security program
Fortunately, there are steps you can follow to establish and maintain an effective cybersecurity program. Here are some things to consider:
Senior management support. If it’s not important to somebody within the organization that defines strategy and has a role in prioritization and budgeting, it’s going to be really tough to create a successful security program.
Strategic alignment. Business leaders need to identify what’s most important. What are the priorities? What is the risk tolerance? If you try to go with other priorities that don’t resonate, it’s pretty tough to be successful.
Factor in compliance and protecting patients. Your security partner needs to understand how your business works, and that data, systems, patient care, and maintaining trust are paramount.
Building a team is tough right now. Experts say there are some 650,000 unfilled data security roles in America alone, and three million worldwide. Even so, creating an environment where security people can be productive and do their best work should be a top priority.
Make it clear that security is everybody’s job. Everyone in your organization should be trained and on high alert for making smart decisions and thinking before they click on suspicious email links. That’s a decision made in real time, and that’s how you protect things. To make it easier for your employees to keep data secure, consider adding safeguards such as strong user authentication and password security protocols.
Have the right tools. You need to know where your assets are and be able to manage them. You’ll also need the ability to monitor your environment, look for anomalous behavior and see when you do have a problem, so you can respond immediately.
Keep pace with the evolving threat landscape. Security is not a one-time thing. A comprehensive enterprise security program that protects you for the long haul takes considerable time and investment because of its significant scope. Governance, risk management discipline, compliance, and auditing all must be in place to make sure things run efficiently.
Look for a partner that cares about security as much as you do. Make sure they evaluate the security programs and controls that you have in place and look at things like cyber insurance which has been increasing from 150% and 200% over the past few years.
Check references. Choosing a new security/technology partner means they will be a true partner in every way. To make sure they are the best fit for you, ask to speak to their customers. Some key questions include: “Have you had security issues? How did your partner respond? How seriously did your partner take the issues? Are you passionate about security? Are you feeling peace of mind today?”
Long-term healthcare organizations shoulder a special responsibility to protect patient, employee, and resident information. As more data goes digital and more systems move toward interoperability, establishing robust information security programs is vital for organizations of all sizes.
* Both statistics from Ponemon Institute: https://www.ibm.com/downloads/cas/OJDVQGRY
Back to blog