It's no secret that 2016 has proved to be a very challenging environment for healthcare leaders when it comes to safeguarding sensitive patient data.
Cybersecurity threats and malicious actors have continued to wreak havoc across the spectrum of healthcare organizations. The number of hacking incidents in healthcare has trended upward over the last few years as adversaries have followed opportunity.
In 2016, the healthcare industry experienced an increase in the number of successful cyber-attacks on providers and a heightened focus on compliance from OCR. Couple this with the prevalence of ransomware, as well as tackling Business Associate risk, many leaders find themselves looking for a silver bullet.
The bottom line is that bad actors are more focused on exploiting sensitive healthcare data than ever before. This year, organizations need to take a depth and breadth approach to managing their cybersecurity posture. Let's look closer at some of the most pressing cybersecurity risks for healthcare and how your organization can combat them in 2017.
The Appeal of Healthcare Data
It has become blatantly obvious that malicious actors have turned their focus away from the historically lucrative arenas like the financial industry and have been aggressively targeting healthcare data — and will continue to do so in 2017. But why? There are three main drivers:
• First, healthcare providers are now digitized. The 2009 HITECH Act successfully spurred a tidal wave of electronic health record (EHR) implementations which significantly increased the amount of personal health information that is now digital. The speed to implement EHRs nationwide consumed most IT departments' capital budgets and made it almost impossible for healthcare organizations to adequately protect electronic patient data at the same speed as the advancement in their environments. Many organizations now find themselves playing catch-up as it pertains to implementing a security program that addresses the technical and human aspects of protecting patient data.
• Second, adversaries now realize that healthcare networks are exploitable because they tend to be less sophisticated and are easier to compromise.
• Third, medical records are reportedly defined as the most rewarding source of personal information because the data tends to be more complete, encompassing everything from medical insurance numbers to credit card numbers. The market value of medical information is worth 10 times more than credit card data on the black market 1. Due to the comprehensive nature of these records, they can be wielded in many forms from false tax returns to Medicare claims to patient misrepresentations.
Cybersecurity Predictions for 2017
Many entities will evolve this year while others will continue to deprioritize cybersecurity. This is a mistake, given what is on the horizon for healthcare cybersecurity. We predict healthcare organizations can expect the following in 2017:
• Double-Digit Increase in Breaches: As hackers become more advanced and better equipped, healthcare organizations will experience a 10-15% increase in the number of cybersecurity breaches in 2017. Ransomware attacks will increase.
• Boards Will Keep Their Heads in the Sand and Hope for the Best: Some healthcare organization boards have already begun managing cybersecurity risk in the same manner as other business risks. Unfortunately, they often become engaged in cybersecurity risk management after a significant event. With that said, we predict that many boards will be content to retain a reactive posture in dealing with cybersecurity concerns. The results will be costly.
• Increase in Civil Litigation: We will see significant pressure from civil litigation, due to the breach of ePHI, using federal regulations, HIPAA/HITECH, as a standard of due care. Healthcare and cybersecurity are massive economic growth sectors, drawing the attention of both consumers and attorneys as litigation targets. As consumers have become more regulation-savvy and the legal lay of the land is better understood by attorneys, opportunities to file complaints will exponentially increase.
• Budgets Won't Be Big Enough: Given the threat landscape, we believe that most healthcare organizations will outspend their 2017 cybersecurity budgets by over 50%. Most organizations budget too little on cybersecurity and then experience overruns in an attempt to respond to emerging threats.
• OCR Moves Toward a National Framework for Healthcare: The Office for Civil Rights will take steps to develop a national framework specific to the healthcare industry that is prescriptive in its requirements in order to guide Covered Entitles and Business Associates to the desired end result with regards to protecting sensitive data and ePHI. We feel that the OCR will finally adopt the HITRUST Alliance's Common Security Framework (CSF) as the national standard or work directly with the National Institute of Standards and Technology (NIST) in developing a new framework that meets the unique needs of the healthcare industry.
6 Steps Toward a Stronger Cybersecurity Posture
It is time for healthcare to work to outpace cybersecurity threats. A proactive posture is a critical strategic investment. It is imperative that healthcare leaders realize that solving these problems will take the focus and strength of their entire organization. Much like long-term business goals and objectives, healthcare leaders need to develop strategic security roadmaps that will improve their posture over time.
So what are some actions to take? You can do to increase your cybersecurity profile starting now by doing these six things:
1. Educate the Board: Security begins and ends with executive buy-in. Invest time in making sure boards are informed and involved in order to ensure that the appropriate resources are allocated to cybersecurity. Use internal metrics and industry benchmark data to drive these discussions.
2. Engage the Whole Organization: Security is NOT just an IT problem; it takes a village. Risk decreases as more people throughout the organization are empowered to identify and respond to threats. Strengthen your employee educational programs to include specifics about phishing and ransomware.
3. Corrective Action Planning: Develop and execute corrective action planning in order to remove vulnerabilities and improve overall cybersecurity posture. Conduct a detailed tabletop exercise of your disaster recovery plan to properly test your organization's preparedness and remediate any deficiencies.
4. Make Sure Your Technologies are Working in Concert: Be sure to leverage your investments in a comprehensive and collaborative manner that improves your efficiency and effectiveness. Make these technologies work for you through proper configuration, on-going management and effective monitoring.
5. Be Compliant with Cyber Insurance Requirements: Do not think of cyber insurance as a safety blanket. Active compliance with contractual requirements is key to a strong cybersecurity program. Not fully understanding nor meeting the obligations of your cyber insurance policy may lead to a void policy and unpaid claims in the event of an attack.
6. Seek Objective Outside Perspectives: While a strong cybersecurity posture takes a village, consider input from experts outside your organization in order to contribute new perspectives to your efforts.
With no simple fix to this complex problem, it will take collaboration, investment and a comprehensive, ongoing approach to managing cybersecurity risk organization-wide in order to meet the rising challenge. Managing cyber risk is complicated, but it is most effective when led from the top, well-planned, and supported by data. Be the champion within your own organization and push to elevate the discussion of managing cybersecurity risk.
Dan L. Dodson is President of Fortified Health Security where he brings over 10 years' experience in the healthcare and insurance industries — serving as both an operational leader and sales leader. Dan's specific focus has been in aligning organizational strengths with client needs through the execution of relevant go-to-market strategies and solution development. Dan also serves as an Executive Vice President for Santa Rosa Consulting. Prior to joining Fortified, Dan was Senior Vice President at Hooper Holmes, Inc. (AMEX: HH), a company serving the health and wellness and life insurance industry. Prior to joining HH, Dan served as Global Healthcare Strategy Lead for Dell Services (formally Perot Systems) and has held numerous positions within various healthcare organizations including Covenant Health System and The Parker Group. Dan holds an M.B.A. in Health Organization Management and a B.S. in Accounting and Finance from Texas Tech University.
Download Fortified Health Security's 2017 Horizon Report here.
1 Source: Reuters — http://www.reuters.com/article/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.