Consultants to Contact

Testimonial

Health care organizations – such as insurers and care providers – are often seen as rich targets for identity thieves because they protect so much information belonging to a large number of people. Even a small doctor's office may have patient records for hundreds of people stretching back years or more, and that can often include information such as medical history and personally identifying data. Unfortunately, new polling suggests these organizations just aren't doing enough to protect sensitive patient data.

Indeed, health care lags behind nearly all other industries, ranking 15th out of 17, when it comes to cybersecurity, particularly “endpoint security,” meaning protection where data is stored, according to SecurityScorecard. For instance, in the examination of security standards for about 1,200 organizations in the sector, it was determined that 60 percent of the most common issues related to cybersecurity were arising due to poor standards as it related to updating software regularly.

In fact, all the organizations examined, whether they suffered cybersecurity lapses or not, exhibited at least some problems with how regularly they patched software and maintained good network security, the report said.

“Last year took a toll on the overall cybersecurity confidence in healthcare organizations, with dozens of ransomware attacks, and data breaches,” said Jasson Casey, chief technology officer at SecurityScorecard. “It's no surprise that our research team found health care organizations are behind in proper network and endpoint security protocols.”

Cybersecurity is one of the biggest issues in health care.Cybersecurity is one of the biggest issues in health care.

Dealing with the issues
For their part, health care organizations are aware of their shortcomings when it comes to maintaining strong security standards, according to a recent KPMG poll. In fact, more than half of the 154 respondents say they either don't have a firm, written cybersecurity policy in place or don't know if they do. Perhaps not surprisingly, more than 3 in 4 said they had suffered at least one data breach, and of that number, more than half said they lost sensitive information as a result of a data breach.

Along similar lines, nearly 3 in 10 said they don't know what to do in the event of a data breach being resolved, the report said. The same number stated their biggest weakness in this regard was a lack of proper training to ensure proper strategies were being followed.

Michael Ebert, a partner at KPMG and its cyber leader for health care, noted that the findings highlight a serious issue for health care IT departments: the need to start bridging the gap between understanding the weaknesses and actually addressing them. Otherwise, the potential fallout from suffering a breach that exposes sensitive business or patient data – or worse, locks care providers out of their own computer systems via malware – could be significant and costly, not only in terms of the money spent to remediate the damage, but also in terms of what such an incident does to their reputations in their communities.

A major issue
Meanwhile, a significant issue that many health care providers face when it comes to cybersecurity has more to do with insider threats than hacking attempts, according to a new survey from Accenture. In all, 18 percent of employees at a health care organization said they would be willing to sell sensitive patient data to an unauthorized part for the right price, which can often fall as low as $500. Another quarter of respondents said they knew someone else at their companies that had already done so.

Meanwhile, other risks linger, with more than 1 in 5 saying they leave their login credentials written down next to their computers, even as 99 percent of respondents said they understand their own role in keeping sensitive information safe, the report said.

It isn't just that it's important to insulate against cybersecurity threats for internal reasons, it's also vital for care providers and insurers to make sure they aren't running afoul of any state or federal regulations related to data protection.