The State of Cybersecurity in Healthcare: Is the Industry Ready?
According to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (DHS), approximately 15 percent of healthcare providers reported a data breach of hospital IT systems within the past 24 months. Other victims include physician practices, ambulatory surgical centers, mental health facilities, rehabilitation facilities, etc.
In addition, OCR reported approximately two-thirds of non-acute and business associates reported a security incident within the past 12 months. Taking these statistics into account I would generously rank providers organization a 6 out of 10 in their knowledge and technical sophistication on their ability to appropriately mitigated the risk of a cyberattack occurring within their environment.
What core challenges remain that are holding organizations back from having more advanced and proactive defense strategies?
Lack of awareness and Insufficient cybersecurity training. Most providers are focused on addressing staffing and medical technology to ensure they improve the quality of care. While these are important priorities, many often overlook the need for further investments in cybersecurity technology and education. Cybersecurity now has to become a strategic focus for providers and calculated into their cost of doing business. In some cases, this might require providers to invest in dedicated staff to focus exclusively on cybersecurity matters.
The other issue is the sheer volume and sophistication of cybersecurity breaches that are now targeting the healthcare industry. Provider organizations' health data is highly the black market, yielding a treasure trove of value information upwards of thousands to millions of people in just one breach of a system. In addition, the technologies required to mitigate these attacks can be cost prohibitive.
Finally, cyber criminals are constantly updating the methods for exploiting weakness in technology, processes and social engineering. It's becoming increasing a challenge to keep up when cyber-criminals are relentless in pursuit of these targets.
What cybersecurity best practices would you recommend above all in this current moment and how can technology/IT tools further help in this area?
1. Educate, Educate, Educate!--A major benefit of cybersecurity in the healthcare industry is that it helps organizations prevent the leaking of patient information. According to industry stakeholders interviewed by the CHIME and HIMSS associations, creating a strong culture of healthcare cybersecurity, including employee education, risk assessments, and information sharing are all essential aspects for mitigating cybersecurity risk in healthcare organizations.
2. Focus on both external as well as insider threats - In addition to cybersecurity attacks from external actors, healthcare organizations continue to address the challenges inside their organizations. They should invest in policies and technologies that hold staff accountable for the security and privacy of patient health information.
3. Adopt a proactive vs reactive strategy in the following areas:
a. EHR System Security
b. Network Perimeter Security
c. End User Authentication & Identity
d. Internet-of-Things ("IoT") Openly assess your vulnerabilities in these areas, prioritize and remediate the greatest gaps and continually monitor and manage their security risks.
4. Establish robust third-party vendor and BAA agreements and security risk assessments - There are a number of documented security breaches that were the targeted at key vendors who have access and/or managed patient health data. In some cases, these are organizations or individuals may be unaware or may have neglected their responsibilities towards protecting the privacy and security this sensitive data. Furthermore, some may not carry cybersecurity or breach insurance and would have no means of protecting anyone if they were held responsible for a breach.
Do you feel that cybersecurity professionals are currently empowered enough to drive change throughout their organizations?
I believe that those providers who have placed cybersecurity as one its strategic priorities have also empowered their cybersecurity professionals and staff to drive a culture of change and accountability for the protection of its patients' data.
How do you foresee the next 12 to 24 months playing out in the healthcare cybersecurity landscape? Do you think things will get worse before they get better or do you have a more optimistic view?
Healthcare is the number industry targeted by cyber criminals and I expect this to continue to be the case over the next 12 to 24 months. Patient health Information is the most value data on the black market yielding upwards of $50+ per patient record. I believe healthcare organizations are become more aware and accountable for their cybersecurity investments. Unfortunately, many providers are still behind the curve with their investment in adequate cybersecurity technologies and best practices. These gaps will continue to be exploited by cyber criminals in the foreseeable future.
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||CYBERSECURITY Q&A|
|Date:||Nov 1, 2019|
|Previous Article:||iatricSystems Shares How Cybersecurity Tools and Resources Can Work Together.|
|Next Article:||UC Irvine Health's CISO on Creating the Next Generation of Healthcare Cybersecurity Leaders: A new leadership program was launched at UT Austin with...|