Healthcare Entities Recognize the Value of Cybersecurity

February 8, 2016
Ed Rabinowitz

A data breach can cost a healthcare provider more than $350 per affected record. Thus, healthcare organizations can't afford to ignore cyber security.

Crime pays … especially when it comes to the dollars that valuable health information will fetch on the so-called “Dark Web.”

According to a study by Ponemon Institute on the cost of a data breach, healthcare has the highest cost per stolen record: more than $350.

For healthcare organizations ranging from hospitals to private practice, the ability to balance security with user-centric convenience and flexibility is often a question of costs versus tradeoffs.

“Healthcare organizations regularly handle some of our most sensitive data, and the ease at which this information can be externally shared or mistakenly exposed is concerning,” says Scott Gordon COO of FinalCode, a Silicon Valley file security company. “Appropriate content management, encryption, and usage control technologies can prevent incidents of file leakage containing health information.”

Double Trouble

Gordon says that from a healthcare provider standpoint, there are two reasons why cybersecurity—defined as “the state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this”—is such an important issue.

“You have a data privacy issue on one side, and the Internet issue of defending against potential attacks and malware that could impact patient health on the other,” Gordon says.

He further explains that if healthcare organizations don’t have proper network defenses and segregation of network services, they’re taking a huge risk on the latter side of the equation. On the first side of the equation, if they don’t have proper access controls and protection of sensitive data, whether that data is in the database, in patient records, or data in files that are shared amongst physicians, caregivers, insurance providers, external insurance payment and processing providers, and patients themselves, then organizations run the risk of potential data privacy breaches.

“If individuals are able to hack into networks and have an effect on the performance of communications, then you have the potential threat to patient care,” Gordon says.

Unique Challenges

Gordon says that healthcare is among the most frequently attacked sectors, and it also has unique challenges. One challenge is that the primary objective is to ensure the health of the patient, and to some degree that trumps security and privacy. Information technology security staff regularly tries to put that in perspective while at the same time answering the demands of physicians who may want to bring in their own equipment or use the latest tools.

Secondly, where hospital organizations are concerned, there are many non-employees—visiting doctors and external caregivers, for example—who utilize hospital facilities and access records.

“Security is dealing not only with employees, where they may have much more control over their devices and their access, versus non-employees, which is more challenging in terms of ensuring proper access to resources and management of personal devices,” Gordon explains.

The third challenge has to do with medical devices themselves. Gordon explains that many medical devices are closed systems that cannot be updated. Until recently, the FDA had very strict guidelines on tampering or altering anything on the electronic side of the equation, which would include software. As such, these devices can more easily be exploited.

And then there are patients, many of who today want immediate access to their medical records on their mobile devices, or the ability to interact with their physicians via video chats.

“Physicians and hospitals do not want to be liable, even for the negligence of the patient and their own records,” Gordon says. “In that case, there needs to be appropriate processes and sign-offs. And if data is being shared with others electronically, then file data protection really comes into play.”

Know Your Vendor

When it comes to outsourcing all or some of the responsibility for guarding against the unauthorized use of healthcare information, Gordon says that there’s a lot to consider. For example, there are organizations that will handle every aspect of cybersecurity for a hospital or medical practice. But outsourcing doesn’t completely remove your risk and liability.

“If I outsource my insurance processing to a third party, and there’s a breach of that third party, as the primary provider, I’m still liable,” Gordon says. “You might have an offset of risk and liability, but you don’t eliminate it. So, you have to know whom you are outsourcing to. Talk to your peers to see how the service provider’s offerings align with your requirements.”

He also points out that when it comes to costs and tradeoffs, in some respects cybersecurity is no different than driving a car. The risks will always be there. That’s why people have insurance.

“You do need to protect against those threats,” Gordon says. “But if you don’t have unlimited funds and unlimited resources, you have to utilize your best effort to save as much investment per risk reduction, while also considering that you need to maintain productivity and responsiveness.”