When it comes to cybersecurity, 2018 was a banner year for the healthcare industry for a myriad of reasons, both good and bad.
Editor's Note: Welcome to Medical Economics' blog section which features contributions from members of the medical community. These blogs are an opportunity for bloggers to engage with readers about a topic that is top of mind, whether it is practice management, experiences with patients, the industry, medicine in general, or healthcare reform. The opinions expressed here are that of the authors and not UBM / Medical Economics.
When it comes to cybersecurity, 2018 was a banner year for the healthcare industry for a myriad of reasons, both good and bad. As the year started, we were inundated with terrible news about how 2017 was worse than any previous years due to the sheer number of data breaches even though there was a decrease in the total number of records exposed. To top this off, we saw definitive proof that healthcare as a whole is significantly behind similarly-sized industries in terms of information security. For 2018, 75 percent of healthcare organizations planned to spend just six percent of their IT budgets on cybersecurity which is half what other sectors spend on security.
Fortunately, reality has not been as harsh on our industry as many expected. One of the most promising developments from 2018 was news that cybersecurity at healthcare organizations is improving at a faster pace than other sectors, although it must be noted that we started from further back, too. But just because we are getting better does not mean we have stopped the bleeding yet. One major problem is finding qualified cybersecurity talent that will work in the healthcare industry. A US Department of Health and Human Services 2017 report found that due to the lack of competitive salaries, staffing woes have not improved. Additionally, the report found that three in four organizations are operating without a designated Information Security (infosec) leader.
We need to think of ways to deal with this shortage of security professionals in the healthcare industry. One method many providers have started using is outsourcing specific security services as appropriate and needed. This can take the form of having a 24/7 Security/Network Operation Center (SOC/NOC) run by a qualified third-party, or moving systems to cloud-based services. While it can be nerve-wracking to give up control of systems or security operations, they will likely be more capable of performing these tasks than anyone inside your organization. And you won’t have to manage, hire, and train them or their replacements.
Of course the biggest news stories revolve around large organizations that have large breaches, but there is plenty of evidence that the attackers see the value in smaller healthcare organization’s data too. The bottom line is that health records are valuable individually and attackers have realized that small practices are relatively easy targets.
The last year
In the last year, we have seen a major uptick in phishing attacks that specifically target payroll direct deposit accounts. Attackers have shown signs of moving from pure money-making efforts (like ransomware) into disruption of operations and destruction of critical data. These are significantly harder to recover from than a ransomware attack or other more common attacks. This, coupled with the obvious value that medical records have to criminals, has created a treacherous situation for healthcare organizations.
Fortunately, not all the news is quite so dire.
Why? Because more of the leadership, executives, and boards of healthcare organizations recognize the need for data security and organizational support. This recognition is, without a doubt, the most powerful tool available to improve the industry’s overall security posture. Their support provides the resources – money, time and organizational focus – that is helping healthcare improve the overall security posture of the industry.
At the same time, don’t let yourself believe that we can let our foot off the gas. While we are making major strides toward becoming as secure as our non-medical counterparts, we are not there yet. The only way we can get to where we need to be is to keep up that pace until we are as secure as possible.
The most important thing that we can do to keep the momentum going is to keep security on the forefront of leaderships minds. Leadership should include everyone from c-suite to board, from maintenance to caregivers, because all of them have a major stake in the security of the organization they work for, and the costs of ignoring the risks are catastrophic. Finally, we can never forget that as we improve our defenses, the offenders improve their tools, tactics and strategies. Security is never final, it is a continuous journey that must be adjusted and adapted to new threats constantly.
Nye is senior director, Cybersecurity Research and Communications, for CynergisTek.