The health and human service field has been hit hard with cyberattacks and data breaches. Earlier this year, we reported that health care now has twice the number of cyberattacks per day as other fields—32,000 attacks on average vs. 14,300 (see Preparing For A Cyberattack—In Four Steps). In addition, an estimated 40% of health care organizations have had at least one attack by WannaCry, a ransomware virus—thanks in part to the uncomfortable fact that almost 30% health care organizations are running old, unpatched versions of the Windows OS (see 40% Of Health Care Organizations Were Attacked By WannaCry Ransomware In Six-Month Period). But I was recently struck at how this threat has continued to evolve. Protecting data from theft is one thing, but researchers recently announced that they had created a computer virus that could add tumors into CT and MRI scans (see CT-GAN: Malicious Tampering of 3D Medical Imagery using Deep Learning).
The costs, according to a new study, are greater than anyone anticipated. According to new report out by the federal Department of Health and Human Services (HHS), those attacks amount to a combined $6.2 billion cost, including $408 per record exposed, up 7.4% from the 2017 per-record cost of $380 (see Data Breaches Cost Hospitals $408 Per Record).
So, what to do? According to my colleague, Sharon Hicks, the most important piece is to have a data security plan and make sure it is followed. Ms. Hicks explained to me recently:
The most important thing that any organization can do is create and follow a checklist that covers data security, network security, privacy, and assessment of risk. The right balance of security processes and assuring access to data that is important for clinical/program staff is difficult to find. But every organization that has vulnerable data sets should be planning for the worst to happen. Hoping that it does not happen isn’t enough.
But, generally, that isn’t happening. Even though health care leads all industries in money lost (the second largest cost per record was financial data breaches at $206 per record), only about 4% to 7% percent of hospitals’ total information technology budgets were spent on cybersecurity, compared to 10% to 14% spent in other industries.
What should be in your data security plan? HHS recommends adoption of 10 practices for mitigation (see Your Data Security Deserves A Second Look). These include:
- Using email protection systems, including system configuration, email education, and offering phishing simulations to employees.
- Using endpoint protection systems for computer networks that are remotely bridged to client devices, including laptops, tablets, mobile phones, and other wireless devices.
- Implement access management for computers, data stores, and programs.
- Implement data protection and loss prevention policies and practices.
- Implement asset management, including practices for tracking inventory, procurement of new equipment, and decommissioning old equipment.
- Network management, including network segmentation, physical security and guest access, and intrusion prevention.
- Vulnerability management, including identifying, classifying, prioritizing, remediating, and mitigating software vulnerabilities.
- Incident response, including monitoring and detection of security events on a computer or computer network, and the execution of proper responses to those events.
- Incorporate medical device security.
- Implement cybersecurity policies using an integrated and intelligent approach to securing your data, computing, and network environment.
While a forward thinking Chief Information Officer should know exactly what to do with this list, the unfortunate truth is this kind of person is often lacking at many organizations (see After ‘Reinventing’ The CFO, It’s The CIO’s Turn). Additionally, the field is lacking in a set of mandatory best practice standards at the national level, leaving much of the data security to individuals states, organizations, or health information exchanges. My colleague Sharon Hicks noted years ago that we need an agreed-upon model of data encryption, nationwide definitions of a minimally required data sets, better privacy policies, digital security standards and practices (see Digital Security Isn’t Where It Needs To Be). The field still needs these things.
For more on this looming topic, check out these resources from the OPEN MINDS Industry Library:
- The Dark Side & Management Challenge Of The ‘Internet of Things’
- Your Data Security Deserves A Second Look
- More & Larger Health Care Databases Mean More Data Security Concerns
- Do You Have The Right Data Security ‘Attitude’?
- What Is Your HIPAA Security Score?
- Recipe For HIE Success: Consumer Trust Through Security
- Will Security & Interoperability Shape Our Health Care Future?
- Digital Security Isn’t Where It Needs To Be
- It’s The People, Stupid!
- A New Twist: EHR Extortion
- Avoiding The “Wall of Shame”
And be sure to mark your calendar for October 28-30, when we will host The 2019 OPEN MINDS Technology & Informatics Institute at the Loews Philadelphia Hotel, including the session “Managing The Data Breach: How To Prepare, Plan & Protect Your Organization” on October 29, featuring Ms. Hicks.