[BreachExchange] Cybersecurity is a big issue for the healthcare industry

Audrey McNeil audrey at riskbasedsecurity.com
Thu Aug 17 19:17:34 EDT 2017


https://www.csindy.com/coloradosprings/cybersecurity-is-a-big-issue-for-the-
healthcare-industry/Content?oid=6536323

Our healthcare industry is woefully behind the financial and government
industries when it comes to protecting data from intruders. Budgeting,
recruiting cyber security professionals, a lack of understanding, and
awareness and training in modern cybersecurity risks are key contributors
to the problem. And it's not getting any easier.

Not too long ago, medical records were kept on paper. That information —
patient records, medical histories, etc. — later had to be translated to
digital formats via painfully slow processes. With no national standard
regulating what or how information would be transferred, meaning a
smattering of administrative personnel and other industry workers were
charged with completing the process, human error laid the foundation for
the industry's cyber security issues today.

During the digital boom in the '90s, industries slowly transitioned their
data to digital form. But the healthcare industry was slow to adapt. The
lack of security standards, disparate systems, and the overall cost made
the transition to digital records move at a snail's pace. The healthcare
industry saw cyber security as a IT problem, and treated it as such. It
failed to recognize that cyber security is outside the scope of the usual
IT department functions, as well as how important experts, equipment,
software and training really are.

Though the majority healthcare organizations are now allocating a
percentage of their budgets on Cyber security, according to Healthcare
Informatics, the site also reports on a recent HIMSS survey that shows 60
percent of healthcare organizations surveyed are spending around three
percent of their budgets on cyber security, that’s still less than half of
what some in the financial industry are spending.

Years of indifference have led to the current rise in data breaches. The
Ponemon Institute estimated that the average cost of a breach in healthcare
facilities to be million dollars, in its most recent report. Though the
cost of breaches is down from previous years, Ponemon notes the average
size of the breaches has increased.

The list of breaches for 2017 includes Bronx-Lebanon Medical Center, which
exposed tens of thousands records due to a vendor's misconfigured backup.
The National Health Service in England and Scotland was hit by the WannaCry
ransomware, disabling the systems that workers needed to access to treat
patients. And another ransomware attack on ABCD Children’s Pediatrics in
San Antonio affected more than 55,000 patients' social security numbers,
insurance billing information, dates of birth, medical histories and more.

A lack of cyber security investment results in costing millions of dollars
per breach instead, something the healthcare industry now sees as a reason
to pay attention cyber security. Progress is being made, but a lot more is
needed. Lives are on the line.

Addressing this problem won't be easy. Health care facilities around the
country have to modernize their computer systems across the board, getting
rid of legacy systems for more protection against malware attacks. Training
for industry professionals from the top down, and recruiting cyber security
experts to the industry is needed as well, not only to create another line
of cyber defense, but to change the culture and approach to cyber, ergo,
patient security. This all means a dramatic increase in focused spending —
expensive, but not as expensive as the cost of a real breach.

Some healthcare facilities are starting to move in this direction. Risk
frameworks and assessments are increasing with organizations adopting the
National Institute of Standards and Technology. But without a momentous
change in the way the healthcare industry approaches cyber security, the
problem will get worse. It's already a matter of life and death.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170817/79f600a8/attachment.html>


More information about the BreachExchange mailing list