Most at Risk, Yet Least Secure: Why Hospitals Need Stronger Cybersecurity Now More than Ever
In a post last year called “Are There Holes in Healthcare Cybersecurity?” we covered the growing discrepancy facing our healthcare system. Although this information-rich industry is one of the most desirable targets for cyberhackers, it’s also one of the least protected from them, especially when it comes to the amount of money devoted to cybersecurity budgets.
Whereas the medical field generally allocates about 5% of their total IT budget towards security, Gartner tells us that other industries like financial services companies spend 7.3%, retail and wholesale companies spend 6.1% and insurance companies spend 5.7%. In fact, for the thirteen analyzed industries, the average spend was around 6%. This disparity is causing many headaches for healthcare companies across the nation, especially since they experienced deadly data breaches that affected more than 59% of the U.S. population in the last decade. And it’s an upward moving trend. One breach per day is being reported.
This problem is perhaps most notable in Illinois right now, where 27 healthcare providers and companies suffered data breaches just in the past two years, ensnaring at least 500 patients. Rush University Medical Center, a nationally renowned hospital in Chicago, recently experienced a breach that compromised the sensitive information of 45,000 patients.
What Healthcare Facilities Have that Hackers Want
“They [hospitals] have the holy grail of personal data in their systems,” said Mark Greisiger, president of NetDiligence, a cyber risk management services company. Hackers usually seek black-market profitable records like social security numbers, health insurance information and medical records; these are used to open other accounts that destroy the victim’s credit. In Rush University Medical Center’s case, names, birthdays, social security numbers, addresses and health insurance were captured when one of the hospital system’s billing processing vendors sent a file to hacker.
Now compound that mistake with the sickening reality that this information is constantly flying around networks as its shared among hospitals, other healthcare venues, vendors, billers, insurance companies and other groups. A hacker’s opportunities to exploit these sometimes unprotected networks by deploying ransomware, phishing or otherwise leveraging some other entry point into the system become exponential. In Rush’s case, it was the vendor that proved to be the weak link. This is quite common. Over 20% of past breaches occurred when a vendor, consultant or other third party shared sensitive information with a criminal party.
Can Bigger Budgets Make it Better?
So why aren’t budgets aligned with these challenges? If you add the increasing budget pressures associated with providing excellent patient care, many times these cybersecurity budgets get relegated to the back burner. The Illinois Health and Hospital Association reports that 36% of Illinois hospitals are operating in the red. Unless there is a recent breach that hits close to home, cybersecurity budgets are often skipped in favor of the proverbial squeaky wheels.
Yet all of this may be changing. More than 38 percent of health care organizations have increased cybersecurity spending over the previous year, according a survey done by Black Book Research. Some systems, like Advocate and Amita Health, which has 19 hospitals in Illinois, have hired executives dedicated solely to data security.
Sometimes even money can’t help. In these cases, education is one of the strongest weapons. When employees are aware of phishing tactics they can more effectively thwart them. Patients need to be careful too. Many times, they’ll receive what looks like a legitimate email from a respected company that prompts them to share their sensitive information – or even download malware that allows hackers access to the network.
It’s an ongoing battle that this industry knows too well. But when critical information – and ultimately lives – are at stake, the dedication of time, education and money is well worth it.
Learn more about healthcare cybersecurity by visiting our website.