[BreachExchange] What should healthcare do about its cybersecurity problem?

Audrey McNeil audrey at riskbasedsecurity.com
Mon Aug 15 18:49:47 EDT 2016


http://medcitynews.com/2016/08/healthcare-cybersecurity-problem/?rf=1

The beat goes on when it comes to cybersecurity breaches in healthcare.

So far this month, Banner Health in Phoenix disclosed that it had data on
3.7 million people potentially exposed by a series of hacks. Another 3.3
million records were compromised at Newkirk Products, a company that issues
ID cards for several Blue Cross and Blue Shield carriers.

Meantime, research firm Frost & Sullivan forecast that hospital spending on
cybersecurity in the U.S. would grow by 13.6 percent annually for the next
five years.

But does it really have to be this way? Niam Yaraghi, a fellow in the
Brookings Institute’s Center for Technology Innovation, doesn’t think so.

In an op-ed for U.S. News and World Report this week, Yaraghi suggested
that healthcare might want to take some cues from the financial industry.
“Unlike healthcare organizations, the banking sector has mastered the art
of mitigating the consequences of privacy breaches,” he wrote.

According to Yaraghi, banks have learned to notify customers of breaches
quickly, then move to freeze the affected credit cards and send out new
ones. Plus, more and more financial institutions are including fraud
liability coverage with their credit cards.

“On the other hand, the response of healthcare organizations to a data
breach only consists of panic, mandatory reporting and in some cases,
provision of identity theft protection,” Yaraghi said. “Despite the fact
that medical data breaches can be disastrous for patients, healthcare
organizations have no viable strategy or technology to effectively reduce
the negative consequences of data breaches.”

They also seem to take a long time to go public when there’s a
cybersecurity lapse. Banner Health said it discovered the hacks  on its
payment systems on July 7 and another breach of patient, beneficiary and
staff data on July 13. Some of the attacks actually started in June, but
the health system didn’t go public with the news until Aug. 3.

Yaraghi said that “independent research organizations” — you know, like
Brookings — and the federal government need to step in and identify motives
and methods of cybercriminals in healthcare. “The expertise and experience
of law enforcement agencies such as the FBI’s cybercrime division or the
Health and Human Services’ inspector general can also shed considerable
light on other ways through which criminal organizations use stolen medical
data to commit fraud,” he wrote.

The feds have actually started to act. On July 26, President Obama
enumerated a policy that, for the first time, specifies how the federal
government should respond to major breaches. It was not specific to
healthcare, though the White House named a threat to public health as one
criterion for declaring a breach a “significant cyber incident.”

Still, it is a reactive policy, not a proactive one that seeks to head off
cybersecurity incidents.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160815/9ae1bbce/attachment.html>


More information about the BreachExchange mailing list