The healthcare industry has been rapidly evolving over the past few years as virtual services continue to remain popular with healthcare consumers. From telehealth to contactless check-in, the office visit has evolved and modernized, creating better experiences for both patients and practitioners. Of course, as processes are automated and more patient data moves online, private information becomes susceptible to targeting by data hackers. Unfortunately, it’s not just a theoretical scenario. Data breaches have occurred and continue to infect the healthcare industry.
Case in point, in 2022 Bay Bridge Administrators (BBA), a third-party third party administrator of fully-insured employee benefit plans, fell victim to a data security incident that impacted almost 250,000 of their customers. Turns out a threat actor surreptitiously breached the BBA network and was able to obtains sensitive patient data including patient names, Social Security numbers, health insurance information and confidential medical information.
Not only are these cyberattacks on the rise, so is the cost of mitigating them. Up nearly 10% since 2021, the average cost of a security breach in the healthcare industry today is $10.1 million, which is the highest it’s been since IT professionals have been tracking the impact on the medical industry.
The costs are not just financial. Providers that suffer a data breach face a potential PR nightmare and reputational damage that can be hard to bounce back from. It’s why it’s become increasingly incumbent on these practices to implement preventative measures that safeguard their patients’ data.
The news is even worse for smaller practices who generally don’t have the resources to protect themselves. Cyber criminals thwarted by strong security measures taken by the larger medical firms have now set their sights on smaller facilities – where there is still valuable data to be hacked.
HEALTHCARE’S ACHILLES’ HEEL
There are several factors in play that make the healthcare industry, and individual practices, prone to this type of attack. One of the biggest challenges is that, despite the modernization of many patient services, antiquated legacy networks are still in place.
Sadly, most healthcare providers lack a uniform established framework and don’t use an internal, hardened-build standard that could be used to validate their current status. Instead, there’s fragmented adoption of cybersecurity frameworks such as NIST, Mitre, and Zero Trust methodology. This amplifies the number of breach opportunities.
In addition, patient data is, in many cases, still inputted manually, meaning multiple people have access to the systems that retain patient data and electronic records. This isn’t the most secure scenario. People make mistakes, especially the harried front desk worker whose attention is often pulled in many directions at once.
To make a difficult situation even worse, most practices have limited resources allocated to IT security. This creates an ecosystem where many legacy systems are inadvertently put at risk for new forms of attack. By not keeping up with the latest cybersecurity innovations using AI such as breach and attack simulations and not adopting the most up-to-date security measures, we’re bound to see more data breaches that will impact healthcare organizations nationwide.
The healthcare industry needs take a sophisticated and mindful approach to assessing risk for their security posture, as both newly implemented technologies as well as legacy applications are at imminent risk.
Here are several steps to consider:
UNDERSTAND THE RISK
It can be a cultural issue. Just as practices were slow to adopt technologies like telehealth, they have a deficit of robust identity access management controls to applications and systems. One of the best things a practice can do is to elevate the threat of cyberattack as a genuine risk-management concern. One measure a business can take is to perform a cybersecurity posture assessment to determine what systems they have in place, how old they are, how fragmented they may be, and whether they are “up to code” in light of the new technologies in play here.
IDENTIFY NETWORK PAIN POINTS
Ideally, to protect their systems from attack, organizations should come with a comprehensive strategy for building a robust and multi-layered cybersecurity solution. Since every existing network is different, one of the first steps taken should be the conducting of a breach and attack simulation. That simulation will help identify the vulnerabilities in the system that hackers could potentially exploit.
EMPLOY A ZERO-TRUST METHODOLOGY
In addition to identifying system points that are prone to hacking, healthcare organizations should also adopt what’s known as a zero-trust methodology. This includes capitalizing on the NIST security framework and making it standard at all practices. This can help to ensure new software applications and hardware devices are adequately secured BEFORE deployment.
An investment in cybersecurity is often looked at like an insurance policy. You generally don’t know you need it until you fall victim to a tragedy. And from that point on, you’ll never want to go without it again. Be mindful about how your practice is defending itself against the next generation of cyber threats and don’t be afraid to seek the assistance of a qualified third party to show you where those vulnerabilities may lie.