Guest post by Santosh Varughese, president, Cognetyx.
The U.S. healthcare industry is under siege from cyber criminals who are determined to access patient and employee data. Information security think tank Ponemon Institute’s most recent report on healthcare cyber security, published in May 2016, revealed some sobering statistics:
- In the past two years, 89 percent of healthcare organizations – and 60 percent of their business associates (or BAs) – experienced at least one data breach, with 79 percent experiencing two or more breaches. The most commonly compromised data are medical records, followed by billing and insurance records. These breaches have not declined since Ponemon began tracking them in 2010.
- The average cost of a healthcare data breach is about $2.2 million.
- Criminal attacks, from outside the organization or from malicious insiders, account for half of all healthcare data breaches, the other half being due to mistakes by employees or BAs.
- The majority of respondents (69 percent of healthcare organizations and 63 percent of BAs) feel that the healthcare industry is at greater risk of breaches than other industries. Despite these concerns, the majority of respondents reported that their organizations had either decreased their cyber security budgets or kept them the same.
Another study conducted in April by IBM, found similar problems, as well as insufficient employee training on cybersecurity best practices and a lack of commitment to information security from executive management.
With only about 10 percent of healthcare organizations not having experienced a data breach, hackers are clearly winning the healthcare data security war. However, there are proactive steps that the healthcare industry can take to turn the tide in its favor.
Data Security Starts with a Culture of Security Awareness
Both the IBM and Ponemon studies highlight an issue that experts have been talking about for some time: despite increasing dangers to information security, many healthcare organizations simply do not take cybersecurity seriously. Digital technologies are relatively new to the healthcare industry, which was very slow to adopt electronic records and when it finally did so, it implemented them rapidly without providing employees adequate training on information security procedures.
Unfortunately many front-line employees feel their only job is to treat patients and that information security is “the IT department’s problem.” These employees fail to grasp the importance of data security, and are not educated on the dangers of patient data breaches, reflected in Ponemon’s findings that employee mistakes account for half of all healthcare data breaches.
The healthcare industry needs to adjust this attitude toward cybersecurity and implement a comprehensive and ongoing information security training program, and cultivate a culture of security awareness. Information security should be included in every organization’s core values, right beside patient care. Employees should be taught that data security is part of everyone’s job, and all supervisors – from the C-suite down to the front line – should model data security best practices.
Additionally, organizations should implement physical security procedures to secure network hardware and storage media (such as flash drives and portable hard drives) through measures like maintaining a visitor log and installing security cameras, limiting physical access to server rooms, and restricting the ability to remove devices from secure area. Continue Reading