The growing cyber siege on corporate America is forcing executive leadership to spend greater amounts of time, money and effort in defending against cyber attacks and data breaches. While no sector of the economy is immune from these attacks, the healthcare industry has proven to be a particularly appealing target. The Ponemon Institute just released the Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data. The study suggests that data breaches could be costing the industry $6 billion annually. More than 90 percent of healthcare organizations represented in the study had a data breach, and 40 percent had more than five data breaches over the past two years.
There’s no question that the healthcare sector has long been in the crosshairs of hackers and has served as a prime target for cybercriminals. Experian’s 2014 Data Breach Industry Forecast proved particularly prescient in saying, “The healthcare industry, by far, will be the most susceptible to publicly disclosed and widely scrutinized data breaches …” Before the year was out both Anthem and Premera helped validate that forecast. In terms of both scale and scope, these incidents were a shot across the bow and served to further raise awareness of a significant risk that can impact so many people. With successful penetration, cyber criminals can gain access to a data laden gold mine for identity theft — personal, medical and financial information —sold for a premium to black market buyers. Included in the categories of information held by health insurers, are full names, addresses, employment information and Social Security numbers.
According to PhishLabs, health and medical records can be sold on the black market for many times more than credit card information — fetching from $25 to $250 per record. The Ponemon study suggests that the average cost of a data breach for healthcare organizations is more than $2.1 million. This surreptitiously-obtained information is used to perpetrate medical and healthcare fraud and identity theft, costs that are ultimately passed onto consumers and add to ever rising medical premiums. Compounding the situation is that children are often the victims and demand the highest premium for identity thieves since their credit is rarely monitored – and the consequence of its loss may not be realized for many years.
In addition to data breaches seeking personally identifiable information (PII) or protected health information (PHI) from health insurance companies, hospitals and healthcare providers need to be especially prepared for additional cyber risks, including threats to hospital IT networks and medical devices that can severely impact patient safety and operations.
No healthcare organization, regardless of size, is immune from data breach. That fact heightens concern over another finding of the Ponemon study— many organizations do not have the budget and resources to protect both electronic and paper-based patient information. In fact, 56 percent of healthcare organizations don’t believe their incident response process has adequate funding and resources. Until such time as healthcare organizations devote sufficient resources to better security and incident response practices, the industry will continue to be exploited to the detriment of consumers.
By Tom Davis, SDI Cyber Risk Practice
SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security experts, skilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.
You can view previous blog posts on cyber risk management here.
May 12, 2015