In Part I of this article, we explored recent reports showing that the healthcare industry is struggling with cybersecurity in comparison to other major US industries. As we noted, the first issue is how valuable and attractive electronic health records are for malicious actors. The second issue, which we will explore below, is that healthcare organizations are not keeping up with other industries in terms of protecting themselves from cybersecurity threats.
Not Keeping Up
Unfortunately, the healthcare industry is not doing a good job of keeping up with the changing cybersecurity landscape. This only contributes to the issue noted in Part I – not only are healthcare organizations appealing targets, they are also easy ones.
One of the main reasons healthcare organizations are falling behind is that they are not spending enough money on cybersecurity and information protection. A recent Symantec and HIMSS Analytics survey characterized just how big the cybersecurity investment gap is in healthcare as compared to other better-performing industries, as reported by the site Healthcare Informatics:
“The survey found a continued lack of investment in cybersecurity by healthcare providers. Specifically, 74 percent of providers devote 6 percent or less of their total IT budget to IT security. Nearly half of respondents (45 percent) reported allocating 3 percent or less of their total IT budget to security. Another 29 percent reported spending between 4 and 6 percent of their total IT budget on security. In fact, the average level of IT security spend has remained flat over the last three years. By comparison, the finance industry typically tends to spend 10 to 12 percent of its IT budget on security.”
A second key takeaway from all the recent reports on cybersecurity in the healthcare industry is that employee behavior remains a significant vulnerability. As the SecurityScorecard 2018 Healthcare Report states:
“The healthcare industry ranks third from the bottom in terms of social engineering [such as spoofing and phishing]. … These types of attacks rely on tricking unsuspecting employees into revealing information via malicious websites, email, or over the phone. In addition, hackers leverage social engineering to deploy malware on a network, often by tricking an employee into opening an email containing a malicious payload.”
An additional study recently reported by the site Health IT Security also identified that “78 percent of healthcare employees showed some lack of preparedness with common privacy and security threat scenarios.”
“‘Beyond training geared toward HIPAA compliance, healthcare employees need a comprehensive approach to awareness education that includes security and privacy awareness,’ researchers explained. ‘Keeping within HIPAA regulations, while vital, does not educate users on how to spot a phishing attack, for example. Additionally, mere compliance does not equate to a fully security-aware culture.’”
The third key takeaway from all these reports is the importance of keeping IT systems up to date through patching and other security updates. According to the SecurityScorecard report, “patching accounts for the most prevalent cybersecurity issues in the healthcare industry.” Simply put, patching IT systems quickly and reliably is critical for any healthcare organization. Hackers seek out and attack organizations that don’t apply patches and security updates quickly. Furthermore, failure to patch systems effectively can lead to increased penalties or negligence lawsuits should a breach occur. The reality of today’s cybersecurity and IT system demands is that all but the smallest healthcare organizations need someone actively maintaining and securing their IT systems, whether a proper in-house IT department or a capable IT managed services vendor.
The cybersecurity threats on healthcare organizations and ePHI are not going away, so healthcare organizations need to start paying better attention to them.
It will take more and better computer security awareness training of providers and employees. It will take appropriate support to keep IT systems secure and up to date. It will take more investment of time and money into cybersecurity measures.
With tight budgets, we understand that healthcare organizations struggle with justifying additional expenditures. Our recommendation is to gain insight into the organization’s greatest needs – and the costs of inaction – through a security risk analysis. An effective risk analysis will:
- Quantify risks in both dollar and patient safety terms,
- Determine the probability that these impacts will occur,
- Provide prioritized recommendations to reduce risks, and
- Present this information to the board and decision makers in a format that is meaningful so that they can make the difficult tradeoffs when budgeting.
Only when the organization’s leadership understands the magnitude of risks in terms of finances, reputation, and patient safety, will they be able to justify increasing the investment in computer security.
At Eagle Consulting Partners, we provide information security consulting, risk analysis and management, HIPAA and computer security training, and policy development solutions for healthcare and healthcare-related organizations. Contact us if you have any HIPAA or cybersecurity needs, or if you’re just not sure where to start.