Three reasons why healthcare needs to devote more resources to security
Despite the recent rise of data breaches involving ransomware and malware targeting healthcare organizations, the industry is still unprepared to combat these kind of malicious attacks. According to the 2016 HIMSS Cybersecurity Survey, 32 percent of acute and 52 percent of non-acute providers are not encrypting data in transit, and only 61 percent of acute providers and 48 percent of non-acute providers are encrypting data at rest. Results of this survey were released only a few weeks after the latest massive cyberattack on a Phoenix-based health system compromised the records of 3.7 million individuals. In this attack, hackers targeted data from credit cards. The health system confirmed that the attack began on systems that process credit card payments for food and beverage purchases at the health system’s locations.
Leaving payment card data unencrypted exposes it to the threat of malicious cyberattacks. Compared to other industries, unencrypted data is still a big problem in healthcare. According to the California Data Breach Report, more than half of all healthcare breaches last year were a result of a failure to encrypt data. In comparison, only 16 percent of breaches in other industries were a result of failure to encrypt data.
Unencrypted payment data in healthcare is particularly problematic because criminal attacks are increasingly targeting healthcare organizations. According to the Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data from the Ponemon Institute, criminal attacks are the leading cause of a data breach in healthcare for the second year in a row. Ponemon describes criminal attacks, including ransomware and malware, as “the deliberate attempt to gain unauthorized access to sensitive information, usually to a computer system or network, resulting in compromised data.” In 2015, 50 percent of healthcare organizations reported that the nature of their breach was a criminal attack.
In addition to ransomware and malware, theft and employee negligence are also primary causes of data breaches. In fact, most healthcare organizations indicated employee negligence as their primary security concern (Ponemon). In all of these security incident scenarios, encryption can help protect against a breach, yet many healthcare organizations store and transmit unencrypted data. Why?
Many healthcare organizations are not devoting enough resources to security. The HIMSS Analytic Healthcare IT Security and Risk Management Study shows that on average, only 6 percent of the healthcare industry’s IT budget is allocated to IT security. According to the study, 50 percent of survey respondents said 0-3 percent of their IT budget is allocated to IT security. Healthcare organizations are also not doing enough to be compliant and secure. Only 20 percent of survey respondents comply with key security mandates, including HIPAA and HITECH. The 2 percent that are compliant still may not be doing enough to be secure, as mandates don’t always address changes in IT, such as cloud and mobile technologies, to properly secure ePHI. In other words, just because an organization is compliant does not mean that it is not at risk of a security incident.
The healthcare industry needs to understand the risks of cyberattacks in order to combat these threats effectively. The biggest risks facing healthcare organizations include:
Costs following a breach
The Ponemon Institute estimates that data breaches could be costing the healthcare industry $6.2 billion, including the fines and settlements an organization must pay as a result of a breach. A recent breach that led to the compromise of the electronic data of four million patients has resulted in the health system paying the largest settlement ever by a single entity – $5.55 million – to the U.S. Health and Human Services Department.
Cybersecurity is important from a consumer perspective as well. 48 percent of consumers would consider changing healthcare providers if their medical records were lost or stolen (Ponemon). Such a significant decrease in retention could have a severe financial impact on healthcare providers. Analysis from Accenture shows that healthcare providers that do not make cybersecurity a strategic priority will put $305 billion of cumulative lifetime patient revenue at risk over the next five years.
When a major data breach makes headline news, all eyes turn to the organization’s top decision makers. After news of the Target breach, both the CEO and CIO lost their jobs. The blunt truth is that when a serious data breach damages the reputation of an organization, someone is going to be held accountable.
To mitigate these risks, healthcare organizations can leverage point-to-point encryption (P2PE) to encrypt data on their networks and significantly reduce the risk of a breach. P2PE is a payment security solution that encrypts payment card data from the point of interaction (e.g., at the point of swipe, dip or keyed entry) until the data reaches a secure endpoint. P2PE makes data unreadable by unauthorized parties, which protects it in the event of a breach.
By leveraging P2PE, healthcare organizations can be sure they are processing payments in a secure way. For the highest level of payment security, healthcare organizations can work with a PCI-Validated P2PE solution. A PCI-Validated P2PE solution has been assessed and approved by the PCI Council for meeting the rigorous PCI requirements for P2PE validation. Only solutions listed on the PCI website are P2PE Validated solutions.
2016 HIMSS Cybersecurity Survey, California Data Breach Report, cybersecurity, HIMSS Analytic Healthcare IT Security and Risk Management Study, HIPAA, HITECH, InstaMed, P2PE, point-to-point encryption, Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data