Cybersecurity in the healthcare field has gone through a lot changes the past few years. In 2016 there was a significant jump in the total number of healthcare specific cybercrimes. According to SecurityIntelligence there was a 71% increase of confirmed data breaches in the healthcare sector from 2015 to 2016. Drilling down on that increase revealed that most of the jump was from external (aka "hacking" or ransomware or malware") followed by internal non-malicious (aka accidents from insiders). Trends are showing that cybercriminals have found more value in healthcare data and the potential for long term use is much higher because it is more difficult to change an individual’s "health data". Another eye-opener is that the type of healthcare entities affected is not limited to hospitals. Business associates, specialized care providers and healthcare plan have all been targets for cyber crime. Oncology, anesthesiology, orthopedic, and radiology are a few of the specific entities that were in the top 10 largest healthcare breaches of 2016. This data tells us that cybercriminals will target or find data outside of the large medical providers and may even be targeting the organizations that have lagged behind in implementing security controls.
As cybersecurity becomes critical to healthcare here are some important questions for you and your team to help determine how well protected your organization is:
- Do you know what your organization is doing for cybersecurity?
- Are you clear on the security strategy, priorities, and risks?
- What is your role and accountabilities with cybersecurity?
- How many incidents or breaches have you had in the past year?
- How would you respond to a breach if it happened today?
Your “security maturity” will vary depending on how you answer the previous questions. Some organizations will gain comfort verifying their organization has a fairly mature security program in place. Other organizations may realize their cybersecurity diagnosis is more serious and requires immediate attention. A solid understanding of security risks and the approach to manage risks should be a good indicator of your organizations final diagnosis.
Know the Unknowns – Ask Questions!
Based on your diagnosis, your organization may want to decrease risks and start treatment internally. Considerations should be made to begin by “knowing the unknown.” To understand the unknowns, you should ask questions, LOTS of questions. The answers to which should be followed up with “what are we doing,” “why are we doing it,” “how do we measure it,” and “how does it decrease risk.”
Implement Cybersecurity Best Practices
Your organization should be following industry best practices for cybersecurity and tie to an accepted standard like NIST, ISO, or PCI. You should know your compliance requirements and feel assured you are fully compliant. Specifically, in healthcare, it is essential to have evidence of HIPAA compliance.
People are consistently one of the top risks to an organization so educating employees on security is critical. Security awareness training needs to go further than an online video or slide show. Training needs to relate and resonate with your team. It should be memorable so when the next security threat comes along, security is top of mind.
Understanding how your organizations manages risks, threats, and vulnerabilities is important to the overall security strategy. A proper risk management program will take an organization from guessing to careful decisions based on likelihood and impact. This qualitative approach will provide a measurement for risk reduction.
It’s likely your organization may need to consult a specialist to address specific cybersecurity needs. When evaluating cybersecurity partners, you should verify the experience, certifications, and organizations’ capabilities.
Want to chat more with our experts and see a list of recommended services to get you started? Learn More!