While many small businesses mistakenly think they’re immune to data breaches because of their size, and therefore put minimum protection in place, healthcare organizations can't ever risk taking this laissez-faire approach - and they'd be in trouble if they did. After all, there are rules and regulations when it comes to healthcare IT systems, and huge fines if you don't meet certain standards. Health practices are tempting targets for hackers, who appreciate the high cost of patient treatment and the wealth of personal information stored by doctors. This is why malicious attacks are carried out on healthcare centers all the time. Two separate 2015 surveys, performed by the Ponemon Institute and the global corporation KPMG, produced some alarming statistics. Here’s what they discovered.
The 2015 KPMG Healthcare Cybersecurity surveyThis survey of 223 chief healthcare executives revealed that 81 percent of healthcare organizations have been breached in the last two years. What may come as even more disturbing news is that 25% of these executives noted that their organizations were attacked anywhere from one to five times a week.
And the organizations which are aware they’re being attacked are actually the lucky ones. According to Greg Bell, KPMG’s leader of the firm’s Cyber Practice, "The experienced hackers that penetrate a vulnerable health care organization like to remain undetected as long as they can before extracting a great deal of content, similar to a blood-sucking insect." That means the longer a cyber attack goes unnoticed, the more damage it can do to your practice.
The survey also revealed the greatest threats facing today’s healthcare organizations by type, according to the respondents:
- 65% - external attacks: cyber attacks are more sophisticated and well funded than ever. With healthcare organizations as prime targets, they are increasingly difficult to prevent.
- 48% - sharing data with third parties: because it’s easy to distribute ePHI over the Internet and mobile devices, it’s more likely for this data to fall into the wrong hands.
- 35% - employee breaches: an unhappy employee steals or alters your practice’s critical information.
- 27% - insufficient firewalls: a firewall blocks viruses, worms and hackers. If yours is inadequate, it’s easier for these threats to break into and corrupt your network.
The Ponemon studyReleased in early 2015, the Ponemon Institute’s Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data may come as even more of a shock than KPMG’s survey. According to this study, 91% of healthcare organizations have experienced at least one data breach in the last two years, 39% have had two to five breaches, and 40% have had more than five.
So what’s the real reason for all these data breaches? The report claims that "cyber criminals recognize two critical facts of the healthcare industry: 1) healthcare organizations manage a treasure trove of financially lucrative personal information and 2) healthcare organizations do not have the resources, processes, and technologies to prevent and detect attacks and adequately protect patient data."
Although the information revealed by these two surveys is anything but positive, that doesn’t mean there’s nothing you can do. To protect your practice, there are five key steps you can take:
- Prevention - just as integral to data security as it is to your patients’ health
- Monitoring your network - so you know when and if your organization is under attack
- Management - of passwords, applications, and staff policies
- Compliance - it's your legal duty to be compliant with all rules and regulations in the industry, such as HIPAA
- Penetration testing - find the holes in your security that a hacker could exploit, and close them