Weak IT Security Programs May Spell Disaster for Healthcare Organizations Bottom Lines
March 25, 2015 – William Ahrens and Marc Grossman
Recent successful cyber attacks against large, well-known healthcare organizations — such as the widely discussed Anthem security breach — are forcing organizations of all sizes across the continuum of care (health systems, hospitals, physician practices, IPAs, and payers) to give IT security increased attention and investment. Cyber attacks can wreak havoc on an organization’s reputation and have a significant negative impact on its bottom line.
Several trends point to a difficult future for the healthcare industry in terms of IT security:
• The number and sophistication of cyber attacks on healthcare organizations is increasing at a dramatic rate. A recent survey found that over 90 percent of healthcare organizations reported at least one data breach over the last 2 years.
• An increased reliance on information technology (partially mandated by the HITECH Act). An average hospital has 300+ systems plus electronic monitors, which presents a huge (and ripe) attack surface for would-be hackers.
• HIPAA and Meaningful Use regulations require healthcare organizations to make electronic protected health information (e-PHI) both accessible and secure.
• “Bring Your Own Device” (BYOD) policies enhance physician workflow, but potentially expose e-PHI and pose a challenge for IT security staff and anti-malware tools.
• Patient information stored in EMRs includes date of birth, SSN, credit card numbers, addresses, and medical information, making it significantly more valuable than other types of online data. Recent estimates put a value of $40 - $250 for a patient medical record vs. $.35 - $4 for a credit card record.
• Both the size of HIPAA fines and the number/frequency of HIPAA audits are increasing. One large health system paid $4.8M in fines; the total cost resulting from another’s breach was reportedly $150M.
• CMS audits are expected to increase in 2015. One facet of the audit may require submission of the Security Risk Analysis documentation; one hospital is already expecting to return $900K in MU Stage 1 payments because their risk assessment was not completed during the year covered by the CMS audit.
Compromised security has long-term effects on healthcare organizations due to bad press; potential HIPAA and credit card company fines for failure to comply with security requirements; patients suffering identity theft; and, the loss of patient confidence and loyalty. Healthcare organizations have already spent nearly $1.4 billion to notify more than 6.9 million individuals affected by compromised electronic records in 2013.
While in the past, healthcare organizations often felt cyber attacks would not happen to them, the increasing number of data breaches over the past few years is beginning to make cybersecurity and data privacy a Board-level governance concern. It is important that Board members, executives and directors recognize cyber risks as part of their duty to review risk practices, business continuity planning, and disclosure of material risks. Healthcare organizations handle significant amounts of sensitive information – extremely valuable to cyber thieves – and all of this data must be protected.
Failing to take adequate cybersecurity measures and a subsequent data breach can lead to loss of public trust in an organization. Unfortunately, healthcare organizations often have limited resources to invest in information security, leading to IT systems and security appliances that may be outdated - resulting in high vulnerability.
Organizations must approach cybersecurity holistically, as they would handle their financial health. It is the collective responsibility of everyone in an organization to protect it from cyber attacks.
Preventative Steps
Organizations should take all necessary precautions to avoid being the next headline and negatively impacting their bottom line.
• Develop an IT security management program
• Proactively address known and potential threats
• Continuously monitor for and address human error
• Assess the relationship between physical security and cybersecurity
• Maintain a security awareness program about various types of malware threats and take action to address vulnerabilities in your IT environment
• Acquire and implement good defensive technologies to protect electronic Patient Health Records
• Develop, maintain, and enforce appropriate security policies and procedures
• Be ready to face a breach with an incident response plan
3rd Party Vulnerability Assessments - Cost-Effective and Essential
• Minimize vulnerability to cyber attacks
• Reduce impact of and shorten recovery time from an incident
• Ensure compliance with HIPAA and MU regulatory requirements
• Improve system performance
• Reduce the impact on staff by implementing more automated tools
• Avoid large fines and/or loss of data
William Ahrens is a senior manager and Marc Grossman is a principal at WeiserMazars LLP, developing and implementing information technology solutions for health care institutions.