protective measure taken versus the current state of aggression
by hackers, are healthcare providers and plans generally more or
less vulnerable to data breaches in 2017 versus the recent
Principal, Cyber Risk Services Deloitte & Touche LLP
Health care faces a unique challenge when it comes to
cyberattacks in that the data collected by the industry is,
by nature, personal and highly valuable to hackers. In
addition, health care organizations have not historically
had the same resources or incentives as other industries to
invest heavily in building stronger cybersecurity programs.
89 percent of health care organizations sustained a data
breach during the past two years - and nearly half of those
attacked reported five or more breaches. The combination of
valuable information and lack of sophisticated cybersecurity
program to protect it has led the industry to become a prime
target for cyberattacks, a trend that may continue for some
time if cybersecurity issues are not thoroughly addressed.
Given the risks, what should health care executives
be thinking about and addressing in order to prepare for and
respond to cyber incidents?
• Convene the right team.
Cybersecurity is not just an IT issue, but a business issue
that requires involvement from stakeholders across the
• Identify top risk areas and assets. In
most enterprises, particular data sets (such as patient
records), clinical systems, medical devices, or other
digital assets represent high value unto themselves.
“Right size” spend to reduce incident impact. While greater
investment may be required, understanding an organization’s
unique risks and investing in a risk-focused manner is key.
• Modernize what “readiness” means. With awareness of what
assets matter most to the organization, plans can be made to
involve the various parties needed to protect, defend, and
recover if compromised.
Cyber readiness is not just
about being prepared to respond after an incident occurs.
According to a recent report by Deloitte, over 95 percent of
the impacts of a cyberattack on a health care organization
may not be immediately identifiable - and the full impact
may take years to play out. Executives need to recognize
that cyberattacks impact their entire business and are not
just a task for IT departments and third-party security
vendors. A risk-based cyber risk management program must be
implemented and exercised to reduce the impact of an attack.
Cybersecurity starts at the top, and understanding this can
help health care executives build stronger, more secure
Robert J. Hudock
Member of the Firm, Epstein Becker Green
Overall, we believe organizations
may be less vulnerable to attacks because of better patching
and security awareness. However, incentives are such that we
expect to see more frequent and more severe data breaches in
Healthcare providers and plans have spent significant
resources in deploying new security tools in 2016. At the
same time, market incentives continue to encourage hackers
to create better methods to gain access to sensitive
information systems. Compared to only a few years ago, ransomware has emerged as a key risk, where hackers are able
to easily profit from the malicious encryption of patient
records. We have also seen a major uptick in identity theft
rings who now regularly seek out healthcare providers to
obtain patient records.
Moreover, the evolution of social
media, including LinkedIn and Facebook (as well as other
open source research resources), greatly assists hackers in
researching an organization and then carrying out more
effective phishing attacks. Instabilities around the world
have also resulted in more individuals being drawn into a
life of crime as a hacker, partly because of the absence of
profitable alternatives. Being a black hat hacker is now a
viable career choice in the Ukraine, Russia, and China (to
name only a few).
Probably most concerning is the unintended
consequence of many security tools being brought to market.
Organizations concentrate on the acquisition of new tools
opposed to focusing on understanding how the organization
works and tightening the organization’s attack surface.
Tools are great, but if not coupled with competent security
professionals, the tool is merely eye candy.
Finally, in the
absence of competent guidance, organizations adopt a
check-the-box-type security model and implement security
controls, typically by deploying a new tool, to conform with
an industry standard, opposed to addressing real security
risks of the organization.
CEO, Center of Health Engagement
It has become clear that security breaches will continue for
at least another year. There are three main reasons:
First, health care providers, from hospital/health systems
to single-physician offices to outpatient clinics and urgent
care centers, have not uniformly kept up with installing
updates to any security software. Since updates are not
uniform and the requirement for reporting is not immediate,
there are more breaches reported, and often they are several
months old (or older).
Second, because patients use
many sites for care, and records have to travel to each of
the sites (at least occasionally), the security of these
transmissions from each site to the next can be compromised
with little difficulty. FHIR technology can detect some of
these interceptions and alert the sender/receiver, but it
typically does not ensure the safe sending between two
different platforms that are outside FHIR code.
Third, it is important to remember that healthcare providers
and plans send to administrative consultants, such as
payment management, benefits consultants, plan sponsors,
pharmacies, among others. Their platforms are unlikely to be
on the same secure platforms as the health system, nor have
the FHIR technology that could alert quickly that someone
has seen a record (s) that should not have been accessed.
The most important, zero-tolerance action that needs
to be taken is to create an internal mandate at any company
that sends or receives medical health records. Everyone on
the staff, from receptionist to CEO should be trained and
retrained in the security procedures that endanger patient
information. There should never be paperwork laying in open
areas, the laptops and desktops should be sharing the same
security levels and updates. Any breaches must be
immediately reported, with new precautions installed and
reported to all staff.
Measuring and Benchmarking SNF Performance Metrics for ACOs and
MA Plans, March 14, 2017
an earlier impact on health and outcomes -- Why Wait?, March 15,
MACRA and Medicare Advantage Plans: Synergies and Potential
Opportunities, March 29, 2017
Population Health Web Summit, May 24, 2017
Predictive Modeling Web Summit, June 22, 2017
MCOL - Positioning you
for change in health care
1101 Standiford Ave., Suite C-3
Modesto, CA 95350
MCOL respects your privacy.
Please read our online
(c) 2017, MCOL, Inc. All Rights Reserved. No redistribution allowed.