With a healthcare industry that is constantly growing at a rapid pace and developing an ever-increasing reliance on technology, security has become a major concern; especially given the massive malware attacks earlier this year that tore through more than 150 countries and affected millions. The attack included the top transcription vendor in the U.S. healthcare industry. KPMG International concluded in a survey that 80 percent of healthcare providers and insurers have had their IT compromised by cyber-attacks. Clearly, significant vulnerabilities exist within the intersection of technology and medicine.
Impact of Cyber Attacks
Recent cyber-attacks typically have been in the form of ransomware. Ransomware is a malicious software that adversely affects an organization’s technology systems.
A 2017 study conducted by IBM and the Ponemon Institute has found that the average total cost of data breaches for healthcare organizations is a whopping $7.35 million. These attacks cause serious complications that result in delayed treatment when physicians cannot access the data they need, potentially leading to poor-quality care. Cybersecurity attacks can result in negative cash flow and even loss of life if the attack affects technology required for life support. At risk, therefore, are not only a hospital’s bottom line but also its reputation.
Healthcare organizations also may be subject to penalties for violating HIPAA. The average HIPAA settlement fine is approximately $1.1 million, a figure that is only increasing as the U.S. Department of Health & Human Services becomes more aggressive in enforcing HIPAA regulations.
The negative impact on a healthcare organization’s image following a cyber-attack can have long-lasting effects. Recent breaches across industries have resulted in 65 percent of customers losing trust and 31 percent of consumers discontinuing their relationship with an organization.
Every hospital CFO is expected to maintain a bird’s eye view of the threat landscape, and in doing so, the CFO can be in a position to help allocate funds and resources to those areas most vulnerable to an attack.
With regard to cybersecurity, these finance leaders should consider the following key actions, in particular.
Develop a culture of cybersecurity. The finance leader should collaborate with the CIO to develop procedures and processes to create continuous education, awareness, and training across the organization. It takes only one unaware employee to open an attachment with a malicious virus that will cripple the entire system. A dedicated security operations team can handle security, hunt threats, educate staff on the latest threats, and perform penetration tests.
Identify, prioritize, and safeguard crucial data. The finance leader should identify the data that are absolutely necessary and cannot be compromised, thereby providing the organization with a sound basis for allocating appropriate funding to deploy better protective mechanisms around its data/devices. An effective plan addresses not only access to medical and billing records, but also contingencies for email and for departments reliant upon the network and departments with high-tech equipment (e.g., laboratory, pharmacy, and imaging services).
Invest in risk-based cybersecurity framework. Frameworks developed with standards such as those set forth by the U.S. National Institute of Standards and Technology help hospitals better identify, prioritize, mitigate, and communicate risks internally and externally. They further help design, monitor, and measure goals towards improved cybersecurity programs.
Consider a cloud-based cybersecurity system. Cloud-based software leverages advanced technologies for data security, network protection, and identity and access management. Cloud computing includes a range of services such as advanced authentication, penetration and vulnerability testing, real time threat monitoring, network behavior analysis, and security alert analysis. These capabilities provide for top-notch security, avoidance of downtime, rapid data recovery mechanisms, easy scalability of applications, and availability of data.
Invest in cybersecurity insurance. Cyber-attackers find sophisticated ways to circumvent security safeguards. Buying cybersecurity insurance that covers denial-of-service attacks, data destruction, fraud, and extortion mitigates the financial impact of such incidents. Other key areas of coverage include crisis management, data restoration, and business interruption.
Evaluate incident detection and monitoring mechanisms. A list of contact information for key players from an organization’s network and internet service providers should be kept with IT. A holistic network map (showing all possible threats and plans to counter them, including what roles each stakeholder will play) can help an organization better predict and prepare for an attack and serve as a visual tool to support the diagnosis of a threat. Risk assessments help identify the most crucial information to protect and ways to maximize the organization’s cybersecurity budget.
Review the data breach response plan. An organization should leverage its network security partners to compose a threat-based series of responses that are current industry best practices.
Collect and analyze security risk reports on periodic basis. Based on specific risk indicators, detailed reports should identify privacy and security risks, vulnerable spots, and the steps needed to mitigate those vulnerabilities.
Evaluate current technology. Cybersecurity systems should be updated and upgraded on regular basis and monitored in real time. Legacy data centers are prone to security loopholes as well as corruptions, outages, and failures.
Monitor software vendor capabilities. Finance leaders should enlist the help of IT leaders in evaluating, validating, and mitigating security concerns. This process requires an understanding of vendor data, encryption methods, disaster recovery procedures, third-party accreditations, and the security checks the vendor performs on persons who have access to data.
Research by Identity Theft Resource Center shows that in 2017, the U.S. healthcare industry leads all other industries in the number of records compromised (57 percent of total records). The sheer frequency of these attacks, along with evolution of more complex attacks and a lack of sufficient security, should prompt hospital leaders to make sure their organizations are taking the steps required to manage cybersecurity effectively.
Chetan Parikh is CEO, ezDI, Inc., Louisville, Ky.