With the recent onslaught of cyber attacks to various healthcare systems, it's becoming evident that healthcare systems as a whole are doing a poor job of protecting the data of their patients. According to a recent survey by consulting firm, Accenture, cyberattacks will cost healthcare organizations $305 billion over the next five years.
32% of acute care facilities (hospitals) and 52% of non-acute care facilities (outpatient clinics and physician offices) are not encrypting their data in transit. 61% of acute care facilities and 48% of non-acute providers are encrypting data at rest. The fact that there are still healthcare systems out there not encrypting data at rest and in-transit is disturbing. According to the Brookings Institution, one out of four data breaches this year will be from the the healthcare industry. With such disturbing facts, the question becomes why is this happening to the healthcare industry? Healthcare information is extremely valuable! The FBI estimates that healthcare information is worth 20 times more than your credit card numbers. Unlike your credit card numbers and money, which is FDIC-backed, your healthcare information has little protection. A person's healthcare information contains their name, payment information, social security number, date of birth, and much more. This type of information can be used by criminals to commit identity and insurance fraud, or worse. Health IT security is seriously lacking. I attended a HIMSS seminar not too long ago, in one of the seminars there was a panel of CISO (Chief Information Security Officer) from various hospitals. A disturbing fact emerge from this talk. Compared to the financial industry, which spends on average about 30% of its IT budget on cybersecurity, healthcare only spends about 5% of its IT budget on cybersecurity. A possible reason for this is because most health systems are more concerned about regulatory compliance and interoperability of varying IT systems, cybersecurity takes a backseat. Considering the number of vulnerable exposures a typical healthcare facility has and the value of health information, healthcare must put more emphasis on protecting itself from cyberattacks. People are a weak point in healthcare IT security. Recent attacks of health system by ransomware has highlighted a huge weak point in health IT security, people. Ransomware occurs by using phishing, where a hacker embeds the malicious malware inside a legitimate looking email or link. Once an employee inadvertently clicks on the link, your entire system is held hostage till the ransom is paid. Many healthcare IT professionals have indicated that they are understaffed and under-budget to properly prevent against such attacks. However, by training your employees on how to properly identify and react to a cyberattack can go along way to preventing one. Healthcare is entering uncharted waters as it transitions to a digital world. Having healthcare information readily accessible helps healthcare delivery more efficient. However, protecting that information against sophisticated cybercriminal must take more precedent. Fortunately, healthcare systems and government policies are beginning to take form to help combat this threat. Hopefully the pattern continues to trend towards a positive path.
About Paubox: Paubox is a provider of seamless and secure HIPAA compliant email encryption.