Information Age’s Chloe Green recently examined the state of healthcare cyber security and the current dissonance between being the most heavily targeted industry for cyber attack and the gaps in security planning that will continue to make these attacks possible.
Examining the ITRC data breach report for 2014, which showed a total of 761 data breaches for the year, healthcare breaches accounted for 42.3% of all breaches (322 out of 761), far higher than any other industry. The trends from 2015 have shown that healthcare data breaches have continued to rise into this year. The high value of healthcare data, which can go for at least 10 times as much as credit card data on the black market, is in part prompting a greater number of cyber attacks in healthcare. Doing some math, the Information Age article pegs the average data breach in healthcare to have a payout between $285,640 and $1.7 million. That’s quite the payout for a single data breach in the healthcare industry.
There’s no question that there’s a lot of value in healthcare data, and yet the fallout of these breaches still remains to be seen. For example, while we hear a lot about fraud as a result of breached credit cards, it can be years before someone notices a breached medical record has been used. Cybercriminals can thus “make use” of these records for a long time, also driving up their value. The average impact of data breaches per organization is over $2 million, costing the industry over $6 billion per year.
Although it’s true that the healthcare industry is facing more targeted cyber attacks, these attacks are not necessarily more sophisticated. Most healthcare organizations, particularly hospitals, are leaving many “doors” open due to a lack of proper cyber security defences. For example, 88% of healthcare organizations allow for the use of personal devices, yet 40% take no steps to secure those devices. Other research has shown that even if BYOD is not officially sanctioned, employees and clinicians still claim to use their personal devices for work. If organizations have no way to secure these devices, how will they even know if a data breach has occurred? These devices, both for the data they contain and their access to the healthcare network, are a huge point of risk in healthcare.
Healthcare can no longer afford the mistakes that lead to data breaches, nor the mistakes that allow them to go undetected. With most organizations facing multiple data breaches per year, and these breaches costing millions of dollars, it’s time to be more proactive. The Information Age article suggests that protection of endpoints be a top priority for healthcare organizations to prevent data breaches, and we would agree.
In our whitepaper, Best Practices for Healthcare Data Breach Prevention, we discuss many specific ways you can achieve data protection and compliance, including policy, process and layered-technology defences. As part of your preparedness, we recently launched Absolute DDS for Healthcare, a comprehensive onboarding program which pairs the highest level of endpoint security with expert forensic support to respond to and contain security incidents.