By Matt Fisher, Healthcare Attorney
LinkedIn: Matthew Fisher
X: @matt_r_fisher
Host of Healthcare de Jure – #HCdeJure
Security must become more of an essential feature in healthcare. The risk of an attack is ever present and pretty much a guarantee at this point. If an organization has not revealed an attack it either has not detected the intrusion yet or is trying to avoid a negative spotlight by keeping information in the background. The confluence of circumstances does not present a very rosy picture for the industry, but should be viewed as an opportunity to be seized to improve.
The Most Recent Survey Findings
In a recent survey from the Ponemon Institute, which was sponsored by proofpoint, the responses reveal successful attacks are more likely, patient care is frequently compromised, and the average cost of attacks is only going up.
Diving into some of the key findings, here are a few numbers that should raise eyebrows and hopefully inspire a scramble to enhance security efforts:
- 88% – Percentage of organizations that had at least one cyberattack in the prior twelve months.
- 54% and 68%/69% – The first number reflects the percentage of organizations that experienced multiple ransomware attacks or business email compromise attacks in the past two years. The second number is the percentage of respondents who said the respective type of attack negatively impacted patient care and safety.
- 100% – All organizations stated that patient or other sensitive healthcare information was taken in at least one of the successful incidents. That means personal and private information is almost always guaranteed to be exfiltrated, which reflects a significant shift in the impact of attacks from a few years ago, or at least organizations are getting better at understanding the impacts and seeing how data were taken.
- $1.3M, $1M, and $1.1M – The financial impacts across three areas of healthcare operations including normal operations, time to correct the impacts on patient care, and idle time and lost productivity. The total of over $3M helps to underscore why the financial impact of an attack keeps going up.
- 32% – The percentage of organizations that are ready to detect and response to insider security threats. The low percentage is problematic because insiders have historically and continue to be one of the biggest, if not the biggest, risks to the privacy and security of sensitive information held by an organization.
- 65% – In an optimistic improvement, this percentage of organizations reports taking steps to improve employee awareness about cybersecurity threats and how to respond. If more employees understand the threats, then hopefully more incidents can be reported before the impact spreads too far or, even better, not occur in the first place.
What Does It All Mean?
One message from the survey results should be clear: security is not good to have, it is an absolute requirement. Being shortsighted around the impact of security means an organization will certainly face financial and patient harm consequences. If the baseline of protecting information is not enough to spur activity, then the fallout, which lingers for a significant period of time after an attack, should help make the internal argument.
No business wants to see its operations disrupted and negative impacts on the individuals that it serves. Those maxims would seem to be obvious in healthcare given the negative impacts have serious consequences for individuals who access services in a time of need. However, up until now, the impacts have not spurred an appropriate response. If activities and resources had increased before now, then the survey results would not paint such a dreary picture of the state of security affairs.
The responses about the impact on patient care and safety are of particular note. Both the responses and reporting following a breach continue to show a compromise to the ability to deliver services, which in turn carries longer term consequences for patients. Outcomes of that nature are not acceptable in healthcare because the ripples will typically spread a lot farther and longer than anticipated.
The state of affairs also should not have reached this stage because these impacts arguably could have been easily anticipated. If systems have to be shutdown, cannot be accessed, data recreated, or a host of other actions, then the ability to deliver services will suffer. When services cannot be delivered, patients will face more challenges. As attacks increased in sophistication that path could be seen. Even if healthcare organizations could claim with a straight face that the full scale of impacts was not known ahead of time, then the consequences should have been crystal clear after the first few public reports about organizations struggling to respond to an attack.
While all of that cannot be changed, the growing reports and data can form the basis for charting a new course going forward. Investing in security may not appear to drive increased revenue or otherwise generate more money, but it is clearly a strong investment in operations that can produce a strong return. Specifically, investing in security can mitigate against the impact of a successful cyberattack by decreasing the odds of success in the first place and then enabling faster recovery when an attack is successful. Given the evidence on the financial impact of a successful attack, limiting the likelihood of that happening should be a top priority.
Regulations as an Aid?
It may be a bit trite to say, but, in healthcare, HIPAA can provide a foundation for robust security efforts. Admittedly, the security rule does not contain specific instructions for protections to implement or what may be best in class. However, it would be impossible for regulations to do that. Why is it impossible? Because regulations take time to implement or amend, which means the regulations cannot keep up with the pace of change in the real world.
However, the regulations can set a basic framework from which solid security can be established. For example, the Security Rule under HIPAA calls for auditing and monitoring systems for inappropriate activity. The rule does not spell out exactly how to implement those processes, but requiring the processes to be in place directs an organization down a path where security can be enhanced. The Security Rule is littered with such examples. Defining the bones of a robust program and then letting each organization customize efforts to specific business needs can be a path to greater protection.
Getting to the point of better protection though calls for investment of time, resources, and commitment. Security is not a one and done activity, but like almost everything in life, requires constant effort and evolution. That effort is needed and while it may feel insurmountable, taking one step at a time will generate positive impacts more quickly than may be expected.
This article was originally published on The Pulse blog and is republished here with permission.