Healthcare providers have seen an increase in cyberattacks in recent months, leaving the sensitive data of hundreds of thousands of people potentially exposed to bad actors. According to Bloomberg, health data breaches can cost more than $400 per patient, and yet only 33% of health departments have defenses for a breach.
Insurance brokerage giant Gallagher recently published a paper in which it considers six fundamental measures that all organizations can implement to materially improve their cyber security. Those measures include: antivirus and malware prevention, firewalls, patching, encryption, PCI DSS compliance, and employee awareness and training.
“First and foremost, healthcare organizations need to ensure they’re complying with HIPAA as an overall regulatory framework,” said Adam Cottini, managing director of Gallagher’s cyber liability practice. The HIPAA Privacy and Security Rules dictate that healthcare providers and organizations must follow standards for the protection of individually identifiable health information, as well as the confidentiality, integrity and availability of electronic health information.
“The HIPAA regulation has been around for a long while and the healthcare industry is tuned into the privacy requirements. Where the challenge comes is with the advancement of technology and how new technology exacerbates the vulnerabilities in the healthcare space relative to protecting and securing information,” Cottini commented.
“Once an organization is secure in its HIPAA compliance, then it can start thinking about cyber security priorities. In our whitepaper, we’ve focused on anti-virus protection, firewalls, patching, encryption technologies, regulatory compliance, and a very big one – employee training and awareness, which we believe really underscores the commitment an organization has to a culture of risk awareness.”
It’s said time and time again that employee training and awareness is the key to cyber security. Healthcare professionals – take doctors as an example – are typically very busy and are stretched with work to the point that it might become very easy to accidentally click on a malicious email. Cyber security simply isn’t top of mind.
“Cyber security doesn’t seem to rise to the same level of priority as other areas of security, but the statistics clearly show that phishing and social engineering is a major driver of a lot of the cyber events that are happening these days, which is why we believe organizations have to continuously drive down on employee training and awareness,” Cottini added.
Raising awareness is the first step. After that, healthcare organizations need to embed cyber security and best practices into their culture, according to Cottini. Encouraging the reporting of bad emails and rewarding employees who flag up issues are two things Gallagher suggests.
Cottini noted: “Placing bigger emphasis on the actual process of detecting phishing emails or social engineering should encourage further development of cyber best practices, and it should also help to develop a better risk for insurers.”