Can you Trust your Healthcare Provider to Keep your Sensitive Data Safe?
When you check into a clinic for medical services, you may be checking in your personal private data with any number of hacking groups. Not to mention, the quality of service you receive may suffer based on the choices made by clinic administrators, especially concerning their investment in cybersecurity.
By the numbers: Breaches in healthcare
Risk Based Security recently released their July 2021 report on data breaches (this infographic sums it up). In the 261 breaches they know about, 254M records were exposed. The healthcare industry led the victim category with 36 breaches. However, another report from CyberMDX claims there were 49 US healthcare data breaches this year so far. This report also claims hospitals now account for 30% of all large data breaches, an estimated cost of $21B in 2020 alone. And make no mistake, recovering the cost of cyberattacks is passed on to the patient.
The CyberMDX report also claims that 48% of hospital executives reported either a forced or proactive shutdown in the last six months because of external attacks or queries. Nothing demonstrates this better than a recent article about an information technology security incident that caused Memorial Health Systems in Ohio to suspend user access to IT applications related to their operation. Memorial Health canceled surgeries and had to revert to paper records temporarily during operations while they recovered from this cyber incident. We believe this incident wasn’t limited to just Memorial Health. HIPPA Journal reported on August 4th that three major health networks in California, Pennsylvania and New York were affected when a third-party vendor (Guidehouse) was hacked, breaching sensitive patient information.
The lack of investment in cybersecurity
There is no doubt in any American’s mind that one of the most profitable businesses in America is healthcare. However, in a 2020 HIMSS survey of 167 healthcare providers, 24% spend less than 10% of their IT budget on security and 18% didn’t know what they spend on cybersecurity. That confirms what the HIPPA Journal found in a 5-year BitSight study where the probability of a data breach occurring at a hospital with a low cybersecurity rating was between 14% and 33%.
60% of hospital IT teams said they have “other’ spending priorities, and less than 11% said that cyber security is a high priority spend. They want an exorbitant amount of money to provide you medical services, but little of it is to protect your data. And that is in the face of stringent HIPPA regulations. Hackers know hospitals will pay to recover quickly from a cyber incident. The industry must acknowledge their wealth of data that makes them a prime target. They have enough funding to pay to recover from cyberattacks but choose not to invest in solutions that prevent them.
How the healthcare industry can protect itself
The healthcare industry needs to buckle down on cybersecurity. Likewise, the US Government needs to buckle down on enforcing HIPPA standards in the industry. These are the non-negotiables that must start now:
- Healthcare IT administrators must start sounding the alarm and convince CEOs and Boards of Directors to make the investment in cybersecurity
- Patient data must be secured
- Internet of Things (IoT) medical devices must be secured
- Enterprise networks must be secured (and hold your third-party vendors accountable for data breaches)
There are many approaches to solving this and we advise healthcare IT administrators to contact us to learn more about how best to stay protected.
Dave Gast (CEH/SEC+/ITIL 4/PMP) is an INTRUSION Sr. Threat Researcher & Info/Cyber Security Subject Matter Expert with a 26 year active duty military career and 10 year government contracting consulting role including extensive cyber intelligence and threat analysis.
Ready to get protected?
INTRUSION Shield is affordable for every business, large or small. We price per seat, per month – with no annual contract and no hardware to buy.