by Greg Bell

Keeping out bad actors: Why healthcare CIOs need to be more concerned about securing customer data

Nov 16, 2015
CybercrimeData and Information SecurityElectronic Health Records

There is no way to stop the attacks against healthcare organizations, but we can properly change the way that companies view their data and reshape their strategy surrounding their protections.

Most consumers have either been directly or indirectly impacted by credit card or personal financial information thefts by hackers.  These consumers are clearly more careful about how and where they shop as well as having new credit cards issued or having their credit monitored.  However, there is a set of data almost all people maintain and is 10 times more valuable to hackers on the Dark Web than credit card numbers: Your healthcare record.

Healthcare information holds a wealth of information that a hacker can monetize. Healthcare records often have Social Security Numbers, birth dates, financial information and personal and business addresses and other valued personally identifiable information (PII). However, it’s the information that you wouldn’t think of that is what the hackers are after.

Healthcare information can be used as blackmail with the threat of publishing specific diagnoses to targeted, interested parties or to the public. Hackers can use your insurance information to post false insurance claims and then cash the reimbursement checks. If a patient is prescribed certain drugs that are popular on the street, the hackers can put in false prescription requests at multiple pharmacies and then sell those drugs. Because your healthcare record is so unique and so incredibly personal, it can’t be changed as easy as issuing a new credit card.

In fact, a recent KPMG report discovered that 81 percent of U.S. healthcare organizations (hospitals and insurance companies) have been breached in the past two years (Disclosure: I am an employee of KPMG). This is an amazing statistic, but is understandable when you really consider the wealth this data provides.

But is the healthcare industry adapting to market changes fast enough? Not as fast as you would think. According to the KPMG report:

  • 19 percent of healthcare providers (hospitals) and 8% of payers (insurance) do not have a leader whose sole responsibility is Information Security. Only 53 percent of healthcare providers and 66 percent of payers feel that they are adequately ready to defend against a cyber-attack. Furthermore, 16 percent of both providers and payers say that they can detect in real-time when a breach has occurred.
  • That means that 84 percent of all U.S. healthcare organizations can’t tell if they’re being hacked, which in reality means that they have probably already been breached, and the malware could be sitting in their systems for days, weeks, months or even years just waiting to be harvested.

Bad actors will evolve with the times. As long as there is data to monetize, bad actors will find any way possible to penetrate a company’s firewalls. Just as a bad actor has to evolve with the times, so does the CIO.

Cybersecurity should not be thought of as a patch or a problem with a one-time fix. Healthcare CIOs should look at security as a constantly growing ecosystem that needs to be tended to, watched and upgraded when needed. To create this ecosystem, a healthcare CIO needs to think about his/her overall investment in cyber: Where am I spending my budget — in people or technology? Do I have security protocols in place if an attack is discovered? Do I have a dedicated team whose only responsibility is keeping my organization safe? Am I properly training the entire staff of my organization about proper handling of information? Will we lose the trust of our patients if we fail to protect their information?

And how do I stay one step ahead of the bad actors.