The health care field continues to present an appealing target for cybercriminals. Yet organizations are showing varying degrees of ability to keep up with this threat, as several new surveys suggest.
In June, the Workgroup for Electronic Data Interchange noted that data breaches compromised roughly 37 million healthcare records between 2010 and 2014. The pace has accelerated quickly, with attacks exposing roughly 100 million records in just the first four months of 2015.
According to the WEDI report, criminals are willing to pay more for medical records than credit card numbers because the rich supply of information they contain (addresses, Social Security numbers) is useful for identity theft.
"Health care continues to be an appealing target for cybercriminals."
Resource limitations may affect organizations' cyber readiness
Corporate board members may have a weak grasp on cybersecurity threats as well. A National Association of Corporate Directors survey found that just 11 percent of corporate directors had a high-level understanding of these risks.
New findings from the 2015 Healthcare Information and Management Systems (HIMSS) Cybersecurity Survey highlighted the importance of maintaining internal resources to prevent and manage attacks. Of 297 participants – who work in healthcare information security – two-thirds said their organization "had experienced a significant security incident in the recent past."
Employee negligence was the largest single reason for incidents. But 64 percent said hackers, scammers and other outsiders had been responsible for such events. In about one-fifth of cases, the attack exposed "patient, financial or operational data."
More than half of the organizations employed full-time personnel to handle information security. Yet 64 percent felt that insufficient cybersecurity staffing presented a barrier to properly managing these incidents.
Keeping good information security staff on board to protect against the rising threat is a challenge for healthcare organizations, Mayo Clinic's chief information security officer, Jim Nelms, recently told the Wall Street Journal. The lure of bigger paychecks makes this workforce "quite a transient population," he said.
Recent health care data breaches "have been a wake-up call that patient and other data are valuable targets and healthcare organizations need a laser focus on cyber security threats," said Lisa Gallagher, vice president of technology solutions for HIMSS. "Healthcare organizations need to rapidly adjust their strategies to defend against cyber-attacks. This means incorporating threat data, and implementing new tools and sophisticated analysis into their security process."
WEDI urges health care organizations to address cyber threats at the highest levels. "The risk of cyber attacks is no longer limited to the IT desk, it is a key business issue that must be addressed by the C-suite," the authors note. "…[N]o healthcare organization can be completely immune from cyber attacks and adversaries. However, they can take appropriate measures to erect defenses and integrate cyber security into the business environment and culture."
These steps include:
- Ensuring that all employees remain aware of the role they play in limiting their organizations' exposure to threats via potentially harmful emails, websites and files.
- Properly updating and patching operating systems, antivirus software and anti-malware programs.
- Maintaining automated alerts to notify staff to take appropriate action, according to protocol, in the event of a breach.