Most consumers have either been directly or indirectly impacted by credit card or personal financial information thefts by hackers. These consumers are clearly more careful about how and where they shop as well as having new credit cards issued or having their credit monitored. However, there is a set of data almost all people maintain and is 10 times more valuable to hackers on the Dark Web than credit card numbers: Your healthcare record.
Healthcare information holds a wealth of information that a hacker can monetize. Healthcare records often have Social Security Numbers, birth dates, financial information and personal and business addresses and other valued personally identifiable information (PII). However, it’s the information that you wouldn’t think of that is what the hackers are after.
Healthcare information can be used as blackmail with the threat of publishing specific diagnoses to targeted, interested parties or to the public. Hackers can use your insurance information to post false insurance claims and then cash the reimbursement checks. If a patient is prescribed certain drugs that are popular on the street, the hackers can put in false prescription requests at multiple pharmacies and then sell those drugs. Because your healthcare record is so unique and so incredibly personal, it can’t be changed as easy as issuing a new credit card.
In fact, a recent KPMG report discovered that 81 percent of U.S. healthcare organizations (hospitals and insurance companies) have been breached in the past two years (Disclosure: I am an employee of KPMG). This is an amazing statistic, but is understandable when you really consider the wealth this data provides.
But is the healthcare industry adapting to market changes fast enough? Not as fast as you would think. According to the KPMG report:
19 percent of healthcare providers (hospitals) and 8% of payers (insurance) do not have a leader whose sole responsibility is Information Security. Only 53 percent of healthcare providers and 66 percent of payers feel that they are adequately ready to defend against a cyber-attack. Furthermore, 16 percent of both providers and payers say that they can detect in real-time when a breach has occurred.
That means that 84 percent of all U.S. healthcare organizations can’t tell if they’re being hacked, which in reality means that they have probably already been breached, and the malware could be sitting in their systems for days, weeks, months or even years just waiting to be harvested.
Bad actors will evolve with the times. As long as there is data to monetize, bad actors will find any way possible to penetrate a company’s firewalls. Just as a bad actor has to evolve with the times, so does the CIO.
Cybersecurity should not be thought of as a patch or a problem with a one-time fix. Healthcare CIOs should look at security as a constantly growing ecosystem that needs to be tended to, watched and upgraded when needed. To create this ecosystem, a healthcare CIO needs to think about his/her overall investment in cyber: Where am I spending my budget — in people or technology? Do I have security protocols in place if an attack is discovered? Do I have a dedicated team whose only responsibility is keeping my organization safe? Am I properly training the entire staff of my organization about proper handling of information? Will we lose the trust of our patients if we fail to protect their information?
And how do I stay one step ahead of the bad actors.
Greg Bell is a principal in the Atlanta office of KPMG’s Advisory Services Practice and serves as KPMG’s Service leader for Information Protection (Security, Privacy and Continuity) practice. With more than 25 years’ experience he is versed in various areas of Information Management and Information Security with particular specialization in the fields of IT risk management and business enablement.
Greg is a trusted business advisor helping leading companies protect their critical business information by helping to align their most important business processes with supporting technologies and foundational risk management elements. He has a strong background in complex business processes, distributed enterprise systems, and information risk management techniques. He has extensive knowledge and experience managing complex projects implementing, administrating and securing complex client-server and heterogeneous network technologies.
The opinions expressed in this blog are those of Greg Bell and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.