It’s easy to ignore the issue of cyber attacks if your organization hasn’t faced one. It may seem like a far-off idea — something that happens only to providers who are sloppy about their cyber security, or something that damages large acute-care providers or insurance companies.
But the statistics are hard to ignore, for any healthcare organization. Over the past five years, cyber attacks on healthcare providers have increased 125% and are expected to keep growing, according to one study. Another investigation found that providers, on average, face a cyber security threat every three months.
But is the industry paying attention? Apparently not. Many providers spend less than 6% of their technology budgets on security.
Advances in technology and providers who lag behind on updating their IT systems have created a “perfect storm” of vulnerabilities in healthcare IT security, said Stephen Cobb, a senior security researcher at ESET, in a recent report. And stealing patient information is a lucrative game, as many hackers have discovered. Just last month, one Los Angeles hospital had to pay $17,000 in “ransom” money to retrieve patients’ medical records.
But it’s not just hackers that providers need to worry about. A case heard by the U.S. Supreme Court last fall,Spokeo, Inc. v. Robins, could allow consumers to sue companies who lost their data through a cyber attack or data breach.
And data breaches — especially the types that violate HIPAA and can result in federal investigations and fines — are rarely perpetrated by shady hackers with extensive coding knowledge, according to the National Law Review. No, these types of breaches are often the result of employee missteps, like losing a laptop containing personal health information, or forwarding records to a personal account.
The good news? Not all hope is lost. Last week the Centers for Medicare & Medicaid Services announced a new program that would provide funding to improve IT for a “broader universe” of healthcare providers, including long-term care facilities left out of previous IT initiatives. Providers whose IT systems and and security practices in the market for an updated IT system can weed out vendors by asking the “tough questions” about capabilities with data security and integrity.
As providers, you have a lot on your plate, and I’m willing to bet cyber security isn’t your top priority. But as the cases of vulnerable healthcare organizations becoming the target of hackers increase, so does the need for your organization to aware of the issue.
As they say, an ounce of prevention is worth a pound of cure … or in the case of that L.A. hospital, an ounce of prevention is worth around $17,000 and some unfavorable publicity.
Emily Mongan is Staff Writer at McKnight’s. Follow here @emmongan.
