The Sorry State of Cybersecurity in the Healthcare Industry

The Sorry State of Cybersecurity in the Healthcare Industry Given the sensitivity and confidentiality of the data handled by the healthcare industry every day, you’d think that cybersecurity is a top priority among healthcare providers. Sadly, you’d be mistaken. The healthcare sector, it seems, is struggling to keep up with the times, especially when it comes to putting strong cybersecurity measures in place.  IT experts say that many healthcare providers, along with medical device manufacturers, don’t recognize the need for such measures, even as they suffer multiple data breaches. Healthcare companies and energy/utility companies are among the industries most vulnerable to cyberattacks today, according to the BitSight Insights Industry Benchmark report in September.  Any statistics on that?  The numbers don’t lie, and they’re pretty alarming. The healthcare and social assistance industry suffer the highest incidence of data breaches at 56%, compared to the 31% on average among all industry sectors. Public data from the U.S. Department of Health and Human services also say that there have been a total of 55 data breaches in the country in 2015. These data breaches affected the information of over a hundred million victims – 111,802,842, to be exact.  Health insurance company Anthem Inc. demonstrated earlier this year just how inefficient cybersecurity in the healthcare industry is when it lost more than 78 million medical records in a data breach. Similarly, 11 million victims suffered from a data breach at Premera Blue Cross, another health insurance company.  According to Ponemon Institute, a research center dedicated to privacy, data protection and information security policy, data breaches cost the healthcare industry about $5.6 billion each year.  So what’s the healthcare industry doing about it?  Not much yet, if current cybersecurity measures in the healthcare industry are to be studied.  Just from the sheer number of medical records compromised, it’s clear that the healthcare industry needs to adopt stronger measures for cybersecurity. It needs to do more to protect not only the medical and personal information of patients, but also medical devices like insulin pumps and pacemakers. Security threats to these devices could result in the loss of life.  Healthcare providers may also need to train their own staff, as the cause for data breaches 26 to 36 percent of the time was employee error. Focus on proactive, intelligence-driven monitoring and response for data security is also essential for avoiding data breaches.  For instance, one of the costliest, most dangerous employee errors occurred in 2013 at the University of Washington Medicine. An employee downloaded an email attachment containing malicious malware, which ended up compromising the security of critical medical data and personal patient information. The University of Washington Medicine has agreed to settle for its shortcomings for $750,000.  Authorities from the HHS and cybersecurity companies have also emphasized the need for the healthcare industry and government sectors to work together to come up with solutions to cyber threats. To help strengthen cybersecurity for the healthcare industry, the National Institute of Standards and Technology has also released the Framework for Improving Critical  Infrastructure Cybersecurity, a set of standards, guidelines, and practices that promote the protection of critical IT infrastructure and helps IT infrastructure owners manage risks related to cybersecurity.  According to NIST experts, healthcare organizations can use the framework as a way to understand and develop cybersecurity plans.  How does the HIPAA figure into all this?  HIPAA actually helps ensure that healthcare providers and health insurance companies have some cybersecurity measures in place.  According to HHS’ website, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the development of regulations that protect the privacy and ensure the security of certain health information. Under the Security Rule of HIPAA, covered entities such as health plans, health care clearinghouses, and health care providers are required to assess their working environments for risks and vulnerabilities and implement security measures to address these risks and vulnerabilities.  So, if you’re covered by the definition of a covered entity under HIPAA, the HIPAA Risk Assessment is something you have to do. It’s required by law for HIPAA compliance. Additionally, under HIPAA, covered entities such as clinics, hospitals, and HMOs must have certain policies in place for protecting patient data.  It should provide some measure of comfort that the state attorney general offices in all 50 states now have the authority to enforce HIPAA.  Up next, let’s discuss what we in the dental industry should be doing to address potential cybersecurity attacks.

Compiled by Paolo Kalaw, CEO of nimbyx – a company focused on seamlessly linking the dental industry - dentists, dental labs, distributors and reps – to help you expand your reach and grow your business. Contact him at info@nimbyx.com Sources for this article include: Jeremy Seth Davis, (Dec 2015), Citing Sources.  Retrieved Jan, 2016 from http://www.scmagazine.com/hhs-hitrust-deloitte-attack-healthcare-orgs-to-test-cyber-preparedness/article/457790/ Unattributed, Citing Sources. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf (Jan 2016) Lorenzo Franceschi-Bicchierai, Dec 2015, Citing Sources. Retrieved Jan 2016 from http://motherboard.vice.com/read/55-healthcare-data-breaches-have-hit-more-than-100-million-people-in-2015 Lorenzo Franceschi-Bicchierai, Dec 2015, Citing Sources.  Retrieved Jan 2016 from http://motherboard.vice.com/read/one-of-the-largest-hacks-yet-exposes-data-on-hundreds-of-thousands-of-kids Brian Krebs, Mar 2015, Citing Sources, Retrieved Jan 2016 from http://krebsonsecurity.com/2015/03/premera-blue-cross-breach-exposes-financial-medical-records/ Ellen Rosen, Dec 2015, Citing Sources, Retrieved Jan 2016 from https://bol.bna.com/data-breaches-most-common-in-healthcare-industry-survey-says/ Sara Heath, Dec 2015, Citing Sources, Retrieved Jan 2016 from http://healthitsecurity.com/news/nist-calls-for-public-comment-on-cybersecurity-framework