The healthcare industry’s broad use of electronic records and the value of the data they contain make this vertical particularly attractive to hackers. In a recent study by The Ponemon Institute, nearly 90 percent of the healthcare organizations surveyed had a data breach in the past two years. Forty-five percent had more than five data breaches in that period. That is no small number; the average cost of a cyberattack in this industry is $2.2 million. Data breaches could be costing the healthcare space $6.2 billion.
Target: electronic health records
The Health Information Technology for Economic and Clinical Health Act (HITECH) made electronic health records the norm. Medical records contain personally identifiable information, as well as valuable information like credit card numbers and insurance billing information. As a result, they can fetch around $15 each on the black market.
Last year, Fort Myers, Florida-based 21st Century Oncology experienced a data breach of
more than 2.2 million patient records. In another incident, someone stole a laptop containing 205,748 unsecured patient records from Premier Healthcare LLC.
It would seem obvious that these valuable records should be highly secured. But unfortunately, that is not always the case. The speed at which healthcare organizations moved to digitize health records consumed a lot of IT departments’ time and money. Consequently, there often weren’t sufficient resources left to secure those records.
That’s the equivalent of a ticking time bomb. The Healthcare Information and Management Systems Society recently noted, “Cybersecurity attacks have the potential to yield disastrous results for healthcare providers and society as a whole.”
Data held hostage: ransomware
Healthcare companies also need to address the exploding phenomenon of ransomware. There was an average of more than 4,000 ransomware attacks per day in the first quarter of last year alone, according to a Deloitte 2016 report. That was a 300 percent increase from 2015.
Guarding against ransomware and securing electronic healthcare records and are just two of the cybersecurity concerns facing this industry. The growing use of connected devices to treat patients also significantly raises the cybersecurity stakes.
Health on the line: connected devices
Malicious actors are now able to breach connected healthcare devices such as glucose and heart monitors, and tools used in medical procedures. This not just troublesome from a cost and data security standpoint; these hacks could have life-and-death implications.
In light of this serious threat, the Federal Communications Commission recently proposed that IoT device suppliers—medical outfits included—design security into their products. However, this is just a suggestion. And addressing device security is only part of the challenge. Securing the networks that carry data between devices, and between devices and databases and management systems, is also key.
With so much at stake, it’s not surprising that some cybersecurity rules are already in place. The Cybersecurity Act of 2015 encourages voluntary sharing of cyber threat information between private entities and the federal government, as well as within agencies of the federal government. However, the scope and language of that law is very general.
The good news is that legislative movement is occurring. According to The National Conference of State Legislatures, at least 28 U.S. states last year considered or introduced cybersecurity legislation. Most of these laws and bills address national infrastructure and governmental agencies. But some of them specifically target the interests of businesses.
For example, A new law in Colorado calls for the creation of a state cybersecurity council to provide policy guidance to the governor. That council will also coordinate with the general assembly and the judicial branch regarding cybersecurity. California made it a crime to knowingly introduce ransomware into any computer, computer system or computer network. Utah has enacted civil penalties for hackers. And Washington State has established the State Cybercrime Act.
Bold action ahead
With both cyber threats and their regulations increasing, healthcare organizations need to put a stake in the ground. Businesses that aren’t already involved in the cybersecurity discussion may want to start making their voices heard and pitching in on these efforts now, before cybersecurity regulatory decisions are cemented.
However, it’s important for organizations to remember that regulations typically lag technology by three to four years. Cybersecurity must be a proactive and ongoing process that surpasses mere regulatory compliance. Best-in-class organizations will explore every aspect of the business—people, processes and technology—to find opportunities for greater data safety.
Tom Gilheany is Cisco’s Product Manager for Security Training and Certifications. He has a diverse background in startups through multinational Fortune 100 companies. Combining over 20 years of product management and technical marketing positions, and over a dozen years in IT sand Operations, he has conducted nearly 50 product launches in emerging technologies, cybersecurity, and telecommunications. Tom holds a CISSP, an MBA, and is an active board member of the Silicon Valley Product Management Association and Product Camp Silicon Valley.