By David Stanton, Director
IT Security and Privacy, Healthcare and Life Sciences industry
As electronic medical records continue to evolve into the de facto standard, healthcare organizations are reaping the cost reduction and business and economic benefits. These benefits are attributed to advanced storage methods, fluid application data sharing and real-time business-relevant analytics. But this progress has its downside, in the form of heightened attention from cyber criminals.
In 2014, healthcare organizations accounted for approximately 25 percent of all reported data breaches – the highest percentage of any industry sector. Even more cyber intrusions are expected in the coming years because of the growing demand for protected health information on the black market. Patient medical records – often exploited for medical identity theft, fraudulent insurance claims, expensive medical equipment and drug prescriptions – can be more valuable to cyber criminals than credit or debit card numbers, which can be cancelled and reissued easily. In 2013, complete health insurance credentials sold for US$20 apiece – approximately 20 times more than the value of a U.S. credit card number with a security code. (See the latest issue of PreView, Protiviti’s newsletter on emerging risks, for more on this troubling trend.)
In the face of this growing threat, what should healthcare leaders do right now? The first step toward protecting patient information is effective risk assessment. A legitimate security framework, such as the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity is a good benchmark from which to assess an organization’s cybersecurity capabilities. Though the use of the framework is voluntary, we support its risk-based approach to managing cybersecurity risk.
A good portion of healthcare organizations can use improvement in the area of cybersecurity risk assessment. According to responses of healthcare leaders who participated in a Protiviti survey about cybersecurity risk and the audit process, only slightly more than half (53 percent) of respondents said they address cybersecurity as part of their audit plan, and nearly half of those acknowledged that internal audit does not evaluate the organization’s cybersecurity program against the NIST framework.
Why the inaction? One reason is perhaps a false sense of security. Healthcare organizations traditionally have placed a strong focus on HIPAA compliance, which covers risk assessment – though not necessarily information security issues. Though HIPAA does require completion of a risk assessment, it does not call for best-practice execution of security controls and adversarial resiliency. Yet organizations continue to use the HIPAA standard as comprehensive risk assessment – potentially leaving themselves exposed to cybersecurity risk.
The availability of cyber insurance also may be contributing to healthcare organizations’ less-than-stellar adoption of a cyber risk assessment and lack of expediency around implementing typical good security hygiene found in other industries (e.g., patch management, encryption, asset management, system hardening, monitoring controls, etc.). But times are changing: Insurance providers are being more prescriptive about what security controls, technologies and processes must be in place to show proper due diligence and can outright reject a claim if preventive measures aren’t implemented before the occurrence of the incident. Cyber insurance also does not compensate for the reputational black eye caused by consumers’ perception of negligence in protecting their information.
The bottom line is this: Healthcare organizations must act now to reduce their cyber risk exposure. Initiating proper risk discussions certainly doesn’t guarantee the avoidance of a breach, or eliminate the risks completely. But it does prepare the organization to conduct five critical functions: identify, protect, detect, respond and – in the case of an incident – recover. The framework and assistance for conducting these functions are available – it’s a matter of taking the first step.