Cool Photos from Depositphotos
By Rodrigo Macias and Johnny Mays of MGO
This year, the average cost of a data breach reached an all-time high at $4 million—and the healthcare industry is at risk, as it contains an abundance of personally identifiable information (PII) in its systems. Examples of PII include individual diagnoses, insurance information, credit cards, and Social Security numbers.
PII is among the costliest data that can be accessed in a breach, and with the large move to telehealth and the associated new technology systems that power it, this data is more exposed due to new security weaknesses found in the burgeoning technology. Because these systems help deliver life-saving healthcare and medicine, it cannot be sacrificed just because it is more susceptible to security vulnerabilities. Thus, it is crucial for healthcare organizations to create and implement cyber risk plans and be aware of the decisions that will need to be made in the midst and aftermath of an attack to both protect private data and avoid the hefty costs associated with lost revenue, lost business, and system outages.
With data breaches set to become more frequent, it is more important than ever for healthcare organizations to be proactive and prepared. Here are some steps to take.
Have a Plan
With a plan in place, an organization is ready to respond. This includes knowing who will perform each necessary activity and which outside parties to contact. These range from law enforcement, the authorities, cyber insurance, a cyber consulting firm, and legal counsel.
Know that some systems are more critical than others and will need more immediate action. These include any system that supports patient care, from scheduling assistance to digital diagnostics and must have a more secure risk prevention protocol in place than, say, an administrative system. It’s important to note that any kind of record, including health records, can be targets and should be protected.
Who needs to be contacted in the wake of an attack? What will be said? Determining a threshold and developing a script to ensure the message gets succinctly and accurately passed down to those who need to know about the breach is vital. In addition to patients and staff, vendors and regulators and stakeholders need to be aware of the incident.
Maintain IT governance
IT governance should be in practice all the time, not just immediately following an attack. Make it a habit within the organization to hold monthly meetings that check in on various proactive activities and update the possibility of risk at the current time. Get everyone involved to develop a culture of security.
Create a Risk Committee
With a formal risk committee, you can better keep the organization aligned with important IT practices, especially with large-scale projects and various departmental functions. The committee members will understand what a breach means for the organization as well as the community it serves and help to perpetuate a culture of cybersecurity from the lowest levels to the top.
Perform Cyber Risk Assessments Annually
Performing an annual cyber risk assessment ensures that all members of the organization—especially those who are not IT experts—understand where the organization is in terms of security and what needs to be done to ensure that it is prepared for a potential attack. This helps with planning, prevention, and the organization’s ongoing response to security breaches.
About the Authors
Rodrigo is a partner at MGO and leads the firm’s risk advisory, forensic accounting, management consulting, and IT advisory services practice. He has provided risk management and performance and operational efficiency services to multiple industries, including state and local government agencies, Tribes, Fortune 500 companies, banks, casinos, hotels, and restaurants. Rodrigo’s 14 years of experience includes performing internal audits, compliance audits, IT assessments, developing fraud risk assessments, performing forensic investigations, assisting general counsel with litigation support and expert witness testimony. He has led forensic investigations ranging from fraud insurance recovery assessments to forensic investigations in which the Federal Bureau of Investigation (FBI) utilized our supporting documentation in their investigations.
Johnny has a focus on systems analysis and design, process improvement, and IT security. His more than seven years of experience with Big 4 client service and in industry with a multinational technology company strongly reinforces his ability to communicate complex concepts in a clear and concise manner to a wide variety of audiences.