At a recent conference of healthcare executives in Washington, D.C., the FBI’s cyber division’s deputy assistant director reinforced the extent of cyber security vulnerabilities the industry faces from hackers. Donald Good, in fact, said the FBI considers the healthcare sector to be a “Tier 1 highly targeted industry” due to its abundance of personally identifiable information (PII) and protected health information (PHI), with this trend unfortunately set to continue.
As we discussed in prior blogs, the healthcare industry’s cyber exposures are exacerbated by several challenges, among them: older/legacy systems, a transition from paper to electronic medical records, Bring Your Own Device policies, and a high payout for protected health information sold on the black market.
Deputy Assistant Director Good at the conference told the audience that healthcare executives at the CEO and boardroom level must be made to understand that cyber threats to protect health information are a real concern with real consequences. “For a number of years, folks I think realized there was a threat out there, but it wasn’t as pervasive as it is today,” Good said. “It’s not a question of whether or not you’ve been compromised. You will be compromised at some point. I don’t care what you do or how much money you throw at the problem. When the information is gone, it’s gone. I don’t think people really understand how grave the threat is until they actually experience it firsthand.”
Indeed the cyber alarm for the healthcare industry has been ringing loud and clear during the last 18 to 24 months. We have seen several major data breaches among providers and payers, including the attack at Anthem that exposed 78.8 million records, Premera Blue Cross that affected 11 million individuals, and Community Health Systems in which information for 4.5 million patients was compromised. Most recently, Excellus BlueCross BlueShield suffered a major cyber attack, affecting as many as 10 million individuals.
Cyber threats, however, are not limited to behemoth companies that make headline news when breaches occur. Smaller healthcare organizations are also at significant risk. “I wouldn’t assume that because you’re a smaller provider or payer that you’re not a target,” Good warned at the conference. “The bigger organizations oftentimes have more resources that they can put against the threat. They’ve got the funding and personnel to harden their networks a little bit better. These smaller organizations are perhaps at just as great a risk—if not more—because they don’t have some of those resources.”
In addition, many healthcare breaches go unreported, as organizations don’t want the negative publicity that a breach will garner. The large-scale health data compromises “get all the media attention”, said Good, arguing that the problem is more widespread than what’s being reported.
Cyber threats will continue to mount in the future as networked medical devices and wearables become more in vogue.
There are measures to take to minimize the risk, such as implementing strong passwords and two-factor authentication, evaluating the “elevated privileges” for personnel, which allows them to go everywhere on a network and making sure that employees who no longer work for an organization don’t have network access. The FBI also recommends a number of additional best practices for incident preparedness in the event that something does happen including: network topography maps to understand how networks and systems are set up, incident logs, archived network traffic, and operations contingency planning and disaster recovery procedures.
It’s also important for healthcare organizations, including surgery centers, assisted living facilities, nursing homes, hospital divisions and other medical facilities, to have a strong Cyber insurance program in place. A tailored insurance policy specifically designed to respond to the needs of the healthcare sector is required. Caitlin Morgan can assist you in securing a Cyber/Privacy & Network Security policy for your insureds. Give our professionals a call at 877.226.1027.
Source: Health Data Management