Cybercrime Is Health Care’s $6 Billion Dollar Problem

Cyberattacks on health care organizations have increased 125 percent over the past five years, and experts estimate these attacks are costing the industry $6 billion.

Health care organizations are easy targets, but hackers don’t care about diagnosis codes — they’re out to steal a person’s identity.

A recent independent study conducted by the Ponemon Institute evaluated 90 health care providers and 88 business associates and concluded that 45 percent of the participants in the study identified a cyberattack as the root cause of a data breach. With cyberattacks increasing and patient data becoming increasingly valuable, one would assume that the industry is responding. Unfortunately, that isn’t the case — 40 percent of those in the study weren’t concerned that they were at risk.

Health records are full of personal information

Hackers have learned that health care organizations are easy targets. They don’t really care about the diagnosis codes and treatment information in a medical record — they are after the personal information needed to steal a person’s identity. While thieves love stealing credit cards, that number is only useful until it reaches its limit or the owner realizes the card is missing. It’s much easier to steal information from one medical record that will allow a hacker to get new credit cards, loans, or tax refunds.

Security breach is a hard, $2.1 million lesson

Organizations that have been the victim of electronic attacks have learned a hard but valuable lesson. They understand that regardless of whether they are a 50-bed senior living facility or a major hospital system, it can happen to them. The organizations that have been targeted at the beginning of this tidal wave of malicious activity are adjusting because they understand the significant impact it can have on their business. The Ponemon study calculated that the average cost of a security breach is in excess of $2.1 million.

Organizations that have not been attacked, or more likely, organizations that do not realize they have been attacked, appear to be under the impression that it won’t happen to them because they are too small or their information technology team has everything under control. While your information technology team is probably excellent, they are most assuredly under staffed, under trained, and working diligently just to keep the network up and running. The team probably spends much of their free time worried about security, but lack the resources to defend the network.

Protecting yourself from cybercrime

How do you protect your organization from cyberattacks? The following list provides a good outline for any organization that wants to reduce the risk of cybercrime. Although these points appear deceptively simple, it will require a concerted effort across the entire organization to begin to secure your business environment.

• Identify the weak points in your network and fix them.
• Turn off unneeded services, change default passwords, and apply updates and security patches on a timely basis.
• Train your workforce to identify strange activity that might indicate a security issue.
• Monitor the workforce with automated tools to identify suspicious activity.
• Understand how information is going in and out of your network.
• Evaluate your partner relationships to make sure you are sharing the right amount of information with a partner whose systems are also secure.
• Develop and test your incident response plan.

How we can help

CLA can help you understand, evaluate, and mitigate the risks to your organization. Our health care team includes computer security professionals who can identify your vulnerabilities through technical testing and help protect your patients' information. We can also assist you in completing comprehensive enterprise risk assessments to identify physical, technical, and administrative risks that could impact the security of the sensitive information that you store.