The threat of cybercrime can be felt most strongly where its impact is most acute. Although threats to our critical infrastructure - electricity, financial institutions, transportation - are of paramount importance, it's the increasing threats to healthcare that keep many of us security experts up at night. These threats have been steadily rising for many years, with headline-grabbing breaches, such as one at Anthem, shaking many to their core. But it's the repercussions of the loss of ePHI that have me worried.
We talk about the impact of data breaches on organizations, with healthcare data breach costs still 2.5 times the global all industry average at $380 per breached record, a sum which costs the healthcare industry as a whole many billions of dollars each year. But what about the impact to patients? That's where my concerns lie. What happens when patient data is used in medical identity theft for years, only discovered when the collections agency comes calling? Or worse, when a patient receives incorrect medical care because the medical record is compromised by false updates? What happens to the patient who enters the hospital for care only to find all hospital systems shut down by ransomware? What happens to the patient if his pacemaker or MRI machine is hacked?
Recognizing the greater potential fallout of healthcare breaches and the impact these breaches have on consumers, the incoming EU General Data Protection Regulation is set to enforce a new and higher set of data protection standards on healthcare organizations.
Healthcare technology has made leaps and bounds in terms of its ability to improve patient outcomes, and yet many technologies are being deployed before security concerns can catch up. We trust that we'll receive the best care possible from our doctors, but we've only just begun to feel the impact of cybersecurity threats on patient care. So, what can healthcare organizations do to improve the situation?
- Thoroughly review vendor contracts and partner systems. Healthcare organizations today are large and complex systems, with many "smaller" entry points through partner systems or vendors. Security standards must be reviewed regularly and a process put in place to promptly report data breaches by all partners and vendors. Organizations should make sure that they have the contractual rights to insist on security standards for vendors.
- Put in place a data breach notification procedure, including detection and response capabilities, and consider purchasing special insurance. Under the upcoming EU General Data Protection Regulation (GDPR) requirements, organizations handling Europeans' data must report a data breach within 72 hours.
- Rehearse your data breach plans and make sure the organization can report on the consequences of a breach very quickly.
- Ensure visibility to all endpoints to ensure firmware and software can be updated against vulnerabilities and that red flags go up if a device misses an update, goes missing or shows signs of tampering.
- Update or protect legacy technology in healthcare against attack. The reality of limited budgets in healthcare means that many legacy systems remain unsupported, with unmatched vulnerabilities, which could place the entire network at risk. Isolating these systems or building protections around legacy systems can serve as a temporary safeguard until systems can be modernized.
- Automate detection and response capabilities. A recent Ponemon study found that traditional endpoint security approaches are costing enterprises more than $6 million in poor detection, slow response and wasted time. Security solutions should be automated to detect and contain threats with minimal human input or intervention.
- Make data protection a board-level concern by appointing a CISO or Data Protection Officer to be responsible for data security and ensuring data security is a regular topic by the board, a key differentiator in reducing security gaps.
- Train staff regularly on the importance of data security to mitigate the insider threat. Have a well-communicated policy on how and when to report lost devices or suspicious texts or emails and enforceable repercussions for infractions.
- Set up and undertake regular compliance reviews in order to identify and rectify issues.
- Add resiliency to security solutions to ensure that the controls in place cannot be tampered with by malicious or insider activity.
Recognizing the greater potential fallout of healthcare breaches and the impact these breaches have on consumers, GDPR is set to enforce a new and higher set of data protection standards on healthcare organizations that handle Europeans' data. You can read more about these data protection recommendations and more in our whitepaper, GDPR: What Healthcare Organizations Everywhere Need to Know.