Unless the healthcare industry implements stronger internal controls, cybersecurity breaches—particularly in the form of ransomware—may no longer be just a matter of protecting health information; cyber attacks could impact patient safety in the not-so-distant future.
Historically, the financial services industry has been targeted more than others by cybersecurity threats, including distributed denial of services, malware, brute force network attacks and spear phishing. However, with more and more cyberthieves entering the profession, and an entire underground community that provides cyberthieves the tools they need, many more industries are seeing increases in cybersecurity incidents.
Ransomware is malicious software that can restrict access to a digital device or system—whether a smartphone, laptop or entire computer network—until the owner of the system pays a sum of money (the ransom).
According to BitSight data, the rate of ransomware infections in healthcare organizations has nearly doubled in the past year, and ransomware accounted for 88 percent of all detections during the second quarter of 2016, according to a Solutionary study.
Because of the nature of the data affected, ransomware is a particularly effective cybersecurity threat for the healthcare industry. Client records are both sensitive and possibly life dependent should they become encrypted by ransomware and held captive.
Recently, a Los Angeles hospital was reportedly asked to pay $3.6 million to reclaim patient information that was captured in a ransomware attack. The hospital subsequently confirmed in a statement that it paid a ransom in order to return the network to working order.
When the healthcare industry suffers a hit, it's often with bigger financial implications, according to a 2015 Net Diligence Cyber Claims study, which found that the average total claim for a breach in the healthcare sector was $1.3 million as compared to $673,767 across all industries.
Losses in the healthcare industry are significantly larger than the overall average of all business sectors because health information can be used by criminals to commit multiple types of fraud or identity theft.
Protecting your company’s and your customers’ data from the increasing threat landscape, including ransomware, requires a layered approach. It starts with how ransomware enters the company, and that typically is via the end user. Education and strong end-user controls are one of the first layers in defense. Next, the company should have some form of robust detection and response processes. And finally, a modernized backup and recovery process that accounts for ransomware.
The healthcare industry is the sector most frequently breached (at 21 percent), according to the 2015 Net Diligence Cyber Claims study.
Ransomware has the potential for great impact on human life, and thus is seen as a bigger threat in the healthcare industry than in other sectors. Healthcare providers collect, store and share patient data as well as information that can be used to conduct emergency room procedures, lab work, CT scans and pharmacy services.
Ransomware can cause operations to stop, which may delay treatment and interrupt critical processes. And that’s just in the first 24 hours of their data being held ransom. Most ransomware has a 24-hour countdown timer, and if the ransom isn’t paid in that time, the data being held is effectively destroyed. This can pose an entirely more complex problem; possibly restoring terabytes of data in a reasonable time to adequately care for patients.
Industries can learn a lot about cybersecurity best practices from one another. For example, the healthcare industry could follow the example set by the financial services industry—which is also highly regulated and committed to protecting customer information—and its robust third-party oversight programs.
The SEC announced an initiative in April 2016 to assess the cybersecurity preparedness of the securities industry by examining more than 50 registered investment advisors and broker dealers. As a result, hedge fund managers, brokers, advisors and asset managers operate their practices within a heightened regulatory environment that requires greater protection of personal information, stronger system controls and more robust governance—and at a faster rate.
The processes and protocols that healthcare companies can adopt from financial firms include being more diligent about user training, system patching, updating anti-virus software, shortening incident response time and tracking asset management.
Both financial services and healthcare have highly leveraged the digital age. However, the financial industry has more rapidly embraced usage, integration and rationalization of data. In this aspect, healthcare may be years behind in maturity.
At a minimum, the internal controls that healthcare firms should consider putting in place include a written security policy that addresses data breach preparedness, a process of periodic risk assessment for changes in a company's privacy and security environment, and the ability to work with forensic organizations in the event of a breach.
Whether your firm stores client financial data or medical information, internal controls should be robust.
Practical considerations to help healthcare provider organizations improve the patient refund process.Read article about Patient Refund Optimization
The importance of data in healthcare goes beyond clinical decisions—data can also be a key player in helping healthcare systems better provide the transparency that consumers today demand.Read article about Data’s Role in Answering the Call for Greater Transparency
What can healthcare learn from retail about consumer satisfaction?Read article about Keeping Up With the Consumerization of Healthcare
Healthcare clients rely on us for:
Weekly insights on the economic issues that matter most to your business.