Growth in IT infrastructure has afforded unprecedented ease of operations for healthcare organizations by connecting increasing number network devices. Now physicians, patients and clinicians stay in constant contact to provide services round the clock. However, the convenience is continuing to successfully mask the risks. Rather, it has made organizations ignore the vulnerability of the cyberspace where the defense between attackers and targets is fragile.
Ponemon Institute Fifth Annual Study on Privacy and Security of Healthcare Data documents a 125 percent surge in criminal attacks in the healthcare industry since 2010. Based on responses gathered from 90 CEs (covered entities) and 88 BAs (business associates), the report puts criminal attacks as the primary cause of data theft. “While employee negligence and lost/stolen devices continue to be primary causes of data breaches, criminal attacks are now the number-one cause,” according to the Institute’s chairman and founder, Dr. Larry Ponemon.
The research estimates data breach losses at a whopping $6 billion and calculates healthcare firms’ average data breach cost at more than $2.1 million, while the average cost of a data breach to BAs is estimated at more than $1 million. Forbes’ estimates stolen health records arising out of security incidents at Community Health Systems (CHS), Anthem and Premera at “about 95.5 million,” which comprises “almost 30% of the entire U.S. population ‒ in less than one year.”
No company is immune, but each must build defense
The Ponemon study finds, “No healthcare organization, regardless of size, is immune from data breach.” True, size hardly matters for attackers as it is the cost of individual credentials that create demand, which make overcoming information security challenges in SMEs equally critical as challenges abound in small enterprises too. Health insurance information, for example, reportedly sells at $20 each while additional ailment information fetches another $20.
Also, ID Experts, the sponsors of the above-cited Ponemon study, CIPP/US president and co-founder Rick Kam is of opinion, “A breach is a breach, no matter how small. Whether 5,000,000, 5,000, or 50 individuals are affected, the impact to each and every person is a big deal.” For organizations, the margin of error allowed is getting increasingly thin and it is a battle where you only defend while adversaries need a very narrow window – already provided by the very nature of the fragile cyberspace.
On the other hand, it is worth noting that while no organization is immune from attack, each of them must develop robust defense which involves diligent and dutiful implementation of information security risk management. Further, the resilient defense must cover two factors: Technical and cultural. While technical resilience, in today’s scenario, includes data protection in the cloud and efficiently managing the connected network devices, cultural robustness must knit all forces together.
Technical robustness supported by efficient implementation of defense speaks louder than resolutions chalked out in a post-breach meeting. The influx of multitude of devices makes it ideal for intrusion as infecting any single device in the network allows access to the entire framework. Constant check on infrastructure security status with particular emphasis on individual equipment safety is crucial for healthcare organizations.
The Ponemon study observes that despite the increasing cost of data breach “half of all organizations have little or no confidence in their ability to detect all patient data loss or theft.” The lack of confidence could be attributed to multiple reasons including the very size of the organization involved. However, collaboration with a trusted partner goes a long way in enabling companies to boost their overall IT infrastructure. Risk management software that is constantly upgraded to meet the latest information security demands improves functionality while maintaining the integrity of the system.
Efforts to resilient IT infrastructure building are contingent upon the fact that healthcare organizations cultivate a risk aware culture. It is achieved by constant communication about appropriate risk behavior and by making employees voluntarily participate in the risk culture of the organization. Imperative to employee participation in organizational risk culture are the policies that create an invisible framework for operational excellence for security message to spread through the ranks – beginning and initiating with chief security officer.
Also, employees entrusted with critical tasks must be put through adequate training on information security. It is often observed that employers emphasize on expertise in the healthcare domain, but not as much on technical skills. While it is imperative to hire manpower with information security management skills, healthcare professionals must also be enlightened with periodic training to ensure they are prepared to take on evolving challenges targeting infrastructure.