It’s been a rough summer for healthcare organizations when it comes to data security.
- June saw a record number of incidents, with the information of 11 million patients breached in 29 different events, according to the new Healthcare Breach Barometer.
- In one particularly egregious incident in late June, a hacker known as The Dark Overlord stole nearly 10 million patient records from providers and a major insurer and tried to ransom them for Bitcoin. Imagine buying your own health data back for the equivalent of about $60 per record.
- The cost of insufficient protection became painfully clear to one IT services company in early July when it was hit with a whopping $650,000 HIPAA fine. The judgment resulted from the theft of an employee iPhone that compromised the protected health information of 412 nursing home residents.
These examples, and so many more, make clear: Data security is one of the most pressing challenges faced by healthcare organizations today. Yet it continues to be one of the issues least understood by executive leaders.
A recent study found that although nearly 90% of surveyed healthcare organizations suffered a data breach in the past 2 years, the majority of providers have “little or no confidence” that they can detect patient data loss or theft. Worse, they don’t have sufficient security budget to curtail the number of incidents.
Most healthcare organizations understand that they’re under attack, have suffered monetary losses (to the tune of $2.2 million on average), but few have taken the necessary steps to prepare for a breach.
We know that today’s threats are sophisticated and often industrialized. Threat actors are able to source out points of weakness, including employees and customers, to leverage a way into patient data. We also know that these attacks are continuously evolving; that what stopped an attack today might not work tomorrow.
Which is why healthcare leaders need to take action – now – before another major data breach occurs.
There are steps organizations can take to adequately protect patient data. I discuss these frequently in my role as global lead for CSC’s cyber consulting.
For me, it starts with an assessment, gaining a sense of what’s working and what’s not with the current systems you have in place to protect data. After understanding your current security posture, a trusted partner can develop recommendations on how to implement a compliant cybersecurity system, taking significant steps to mitigate the impacts of cyberattacks.
Of course, it doesn’t end there. The process needs to be repeated regularly in order to ensure protection against emerging threats.
Smart organizations will take one additional step and put an incident response service plan in place. A recent report showed that enterprises that establish this plan – and form teams ready to respond in times of emergency – reduce the cost of a breach and shorten recovery time. Perhaps most importantly, these organizations can protect themselves from reputational damage — minimizing the risk of public attention and reducing legal impacts as a result of attacks.
As the summer continues to heat up, make sure your healthcare organization is prepared on the cybersecurity front. The threats are real and your organizational and patient data are at risk – but with a little investment and preparation now, you can keep your data safe and your organization out of tomorrow’s news.
Rex Johnson is Partner and Global Lead for CSC Cybersecurity Consulting. He has more than 25 years of IT, business, and leadership experience. His areas of expertise include project and program management, security and privacy, enterprise risk management, security management and operations, IT governance, life cycle application development, internal and external audit, regulatory compliance and controls assurance. He leads teams to address root cause in security risks and develop long-term sustainable solutions. Mr. Johnson is also a retired Army officer with experience in national security, public affairs, and information operations.