The State of Cybersecurity in Healthcare: Is the Industry Ready?
How would you rank provider organizations’ sophistication levels in being able to properly defend themselves against cyberattacks (1 to 10 scale with 1 being completely unprepared and 10 being extremely advanced in their preparation)? According to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (DHS), approxi- mately 15 percent of healthcare providers reported a data breach of hospital IT sys- tems within the past 24 months. Other vic- tims include physician practices, ambu- latory surgical centers, mental health facilities, rehabilitation facilities, etc. In addition, OCR reported approxi- mately two-thirds of non-acute and busi- ness associates reported a security inci- dent within the past 12 months. Taking these statistics into account I would gen- erously rank providers organization a 6 out of 10 in their knowledge and technical sophistication on their ability to appropri- ately mitigated the risk of a cyberattack occurring within their environment.
What core challenges remain that are holding organizations back from having more advanced and proactive defense strategies? Lack of awareness and Insufficient cyber- security training. Most providers are focused on addressing staffing and medi- cal technology to ensure they improve the quality of care. While these are important priorities, many often overlook the need for further investments in cybersecurity technology and education. Cybersecurity now has to become a strategic focus for providers and calculated into their cost of doing business. In some cases, this might require providers to invest in dedicated staff to focus exclusively on cybersecurity matters.
The other issue is the sheer volume and sophistication of cybersecurity breaches that are now targeting the healthcare industry. Provider organizations’ health data is highly the black market, yield- ing a treasure trove of value information upwards of thousands to millions of peo- ple in just one breach of a system. In addi- tion, the technologies required to mitigate these attacks can be cost prohibitive.
Finally, cyber criminals are constantly updating the methods for exploiting weakness in technology, processes and social engineering. It’s becoming increas- ing a challenge to keep up when cyber- criminals are relentless in pursuit of these targets.
What cybersecurity best practices would you recommend above all in this current moment and how can technology/IT tools further help in this area?
1. Educate, Educate, Educate! – A major benefit of cybersecurity in the healthcare industry is that it helps organizations pre- vent the leaking of patient information. According to industry stakeholders inter- viewed by the CHIME and HIMSS associ- ations, creating a strong culture of health- care cybersecurity, including employee education, risk assessments, and informa- tion sharing are all essential aspects for mitigating cybersecurity risk in healthcare organizations.
2. Focus on both external as well as insider threats - In addition to cybersecu- rity attacks from external actors, health- care organizations continue to address the challenges inside their organizations. They should invest in policies and tech- nologies that hold staff accountable for the security and privacy of patient health information.
3. Adopt a proactive vs reactive strategy in the following areas: a. EHR System Security b. Network Perimeter Security c. End User Authentication & Identity d. Internet-of-Things (“IoT”) Openly assess your vulnerabilities in
these areas, prioritize and remediate the greatest gaps and continually monitor and manage their security risks.
4. Establish robust third-party vendor and BAA agreements and security risk assessments - There are a number of doc- umented security breaches that were the targeted at key vendors who have access and/or managed patient health data. In some cases, these are organizations or individuals may be unaware or may have neglected their responsibilities towards protecting the privacy and security this sensitive data. Furthermore, some may
Christopher Kunney, CPHIMS, CPHIT MSMOT Chief of Strategy and Business Development – Juno EHR (Designed & Developed by DSS, Inc.)
not carry cybersecurity or breach insur- ance and would have no means of pro- tecting anyone if they were held respon- sible for a breach.
Do you feel that cybersecurity professionals are currently empowered enough to drive change throughout their organizations? I believe that those providers who have placed cybersecurity as one its strate- gic priorities have also empowered their cybersecurity professionals and staff to drive a culture of change and accountabil- ity for the protection of its patients’ data.
How do you foresee the next 12 to 24 months playing out in the healthcare cybersecurity landscape? Do you think things will get worse before they get better or do you have a more optimistic view? Healthcare is the number industry tar- geted by cyber criminals and I expect this to continue to be the case over the next 12 to 24 months. Patient health Information is the most value data on the black mar- ket yielding upwards of $50+ per patient record. I believe healthcare organizations are become more aware and account- able for their cybersecurity investments. Unfortunately, many providers are still behind the curve with their investment in adequate cybersecurity technologies and best practices. These gaps will continue to be exploited by cyber criminals in the foreseeable future.
12575 U.S. Highway 1, Suite 200 Juno Beach, FL 33408
NOVEMBER/DECEMBER 2019 | hcinnovationgroup.co
| Page 2
| Page 3
| Page 4
| Page 5
| Page 6
| Page 7
| Page 8
| Page 9
| Page 10
| Page 11
| Page 12
| Page 13
| Page 14
| Page 15
| Page 16
| Page 17
| Page 18
| Page 19
| Page 20
| Page 21
| Page 22
| Page 23
| Page 24
| Page 25
| Page 26
| Page 27
| Page 28