Every business has cybersecurity concerns, but one industry that has been seeing the worst of it and that seems to be the least prepared with data security is healthcare.  Recent industry studies and cyberattacks to healthcare organizations, only three months into a new year, raise even more concerns to what steps healthcare organizations are actually taking to secure data.

 

As you might be aware, the ransomware attack against Hollywood Presbyterian Medical Center is no longer the latest healthcare breach highlighted by the news; the ball passes on to the 21st Century Oncology cancer center, who just this month has notified 2.2 million current and former patients that their sensitive data, data such as social security numbers, have been exposed.

 

That’s a lot of sensitive data in the wrong hands, but what’s even more frightening is the fact that according to a recent report by Ponemon Institute, 13% of organizations in the US don’t know for sure how many attacks they have experienced.  If you don’t know if you’ve been attacked, you don’t know what has been lost or taken (by cybercriminals who will use that information in all the wrong ways).

 

Healthcare security and breaches is not a new topic.  From our own experience, as a leading information risk management consulting firm, we’ve found that most community based hospitals have never conducted a security assessment.  Additionally, a Trend Micro analysis of 10 years of data breaches found that more than one-fourth of all reported breaches since 2005 came from healthcare organizations.  Other past studies have also highlighted the higher monetary value of healthcare data for cybercriminals, not to mention the higher breach costs for healthcare providers.

 

In addition to healthcare providers being unsure if they have suffered a breach incident or not, nearly 80% of the healthcare organizations in the Ponemon study found that the most common root of attacks against them point to software vulnerabilities that were older than three months old. 75% of them say Web-borne malware was to blame for a security incident suffered; 70% software vulnerabilities less than three months old; 69% was blamed on spear phishing; and lastly, 61% was due to lost or stolen devices.

 

When you have software vulnerabilities that are older than three months as the top reason for a breach incident, it seems pretty clear that there is a major gap in what healthcare security pros are doing or not doing to meet compliance and the security needs of the facility.  Is it that they stop security at compliance requirements or are they oblivious to the fact that old vulnerabilities are a way in for cybercriminals? Or could it be a lack of resources?

 

There isn’t one answer necessarily, but it is clear that something is wrong when the security executive of a majority of healthcare organizations that suffered security incidents aren’t regularly patching the software they use within their organization.  That’s basic data security knowledge.  Of course, the communication gap between CIOs, CEOs, and the board doesn’t help and can explain some of the security holes within these organizations.  However, and no matter what type of organization we’re talking about, the fact remains that security is important to stay in business and protect sensitive data.

 

CIOs need to express their concerns and know what they’re doing.  CEOs and the board need to ask questions and talk to security consultants or get a second opinion to make sure the person they put in charge of their security is up for the task and doing what needs to be done to close as many vulnerabilities as possible.

 

Do you know where your security stands or what steps to take to achieve a strong security posture?

 

Photo courtesy of Brian A Jackson