2018 was a very bad year for healthcare cybersecurity

With the healthcare industry under constant attack, organizations must create distinctive, comprehensive risk management strategies

by AT&T Business Editorial Team

As another year comes to an end, it’s a natural time for reflection and resolution. So, let’s review the concerning state of cybersecurity in healthcare and look forward to how organizations can better provide that they aren’t the next victim of an attack. Hint: simply increasing cybersecurity spending is NOT the answer.

Healthcare data, patient records under attack

According to Protenus, Inc., through Q3 of 2018 there were 369 publicly disclosed data breaches in healthcare, affecting 8,663,898 patient records. Over eight-and-a-half million. And the number of patient records affected climbed each month through September.

Hackers were the leading cause of data breaches, using malware, phishing attacks and theft to steal valuable patient, employee and employee candidate data. As noted in Healthcare IT News, in a year described as the worst yet for hacking in the healthcare industry, these bad actors were responsible for 83% of data breaches from July to September 2018. And hacking incidents increased each quarter (through Q3) from 30 to 52 to 60.

While hackers create the headlines, employees facilitate the havoc. Protenus says in the second quarter more than 30% of healthcare breaches were due to employee mistakes or misconduct. Personnel aren’t just the most vulnerable access point to critical data for criminals, they’re also perpetrators. Employees were guilty of breaching patient privacy, with family snooping the most common insider-related offense, according to Protenus.

Third party vendors and business associates were responsible for nearly 800,000 record breaches in the same quarter. This shows the need for better vetting before healthcare organizations give the keys to their data to a third-party or an associate.

What it means for 2019 and beyond

The data from 2018 illustrates that there is a problem with security throughout the healthcare industry. Information security experts warn that healthcare will be the biggest target for cybercriminals over the next five years, as noted in Healthcare IT News. The financial burden on attacked organizations is crippling, but the reputation risk is even greater. CSO quotes the average cost of a single ransomware attack as $5 million. And reputation cost? Aetna’s Health Ambitions Study, actually reveals that a greater percentage of healthcare consumers ranked privacy (80%) and data security (76%) as important aspects of health care over cost of care (73%), personalized care (71 %) and coordination among healthcare providers (68%).

But there’s a chasm in perception among business leadership. An organization’s decision makers assume a higher level of security than do their IT employees. In the latest AT&T Cybersecurity Report, 60% of C-level executives felt the security solutions in place are keeping them safe, compared to 29% of IT gatekeepers. And the disconnect is palpable. Just 53% of IT decision makers felt that business leaders understand the importance of security, and for organizations with in-house-only security management, the ratio dropped to 39%.

A smarter approach to security

Healthcare companies must have an effective security risk management strategy built on the concept of edge-to-edge protection. They need to know what their data security priorities are, have policies that are effectively enforced, and bring an approach to cybersecurity that’s surgical— working from the inside out — to understand every fit and function of their organization. Without proper guidance, healthcare organizations could be throwing money into cybersecurity with little return, strangling their operations rather than supporting them.

“Not all investment is good investment. You need to know what your data security priorities are first,” says Todd Waskelis, AVP with AT&T Cybersecurity Solutions. He notes that “without this understanding, you could be chasing a shiny object of little value.”

An outside managed security solutions provider (MSSP) can help solve those problems and build confidence in the defense against cybercriminals. The right MSSP creates a cost-efficient, centralized security strategy that will support business operations, not hinder them. They enable the company to focus on new technologies and innovation, while the provider manages the cybersecurity strategy. And they bring ever-evolving knowledge to their healthcare customers including 24/7 threat monitoring and support, the latest insights on emerging security threats and access to enhanced network security features.

While cybersecurity has traditionally been viewed as an IT issue, in today’s digitized world, that thinking is dangerous. Organizations need to eliminate silos and collaborate to transform business operations, and place cybersecurity front and center.

The AT&T Cybersecurity Report reveals that 47% percent of organizations feel a vulnerability assessment is a high priority to their IT security strategy. So as healthcare companies work to toward their future security, the first step is to complete a quick risk assessment. Consider it a self-check-up.