Healthcare Security and What’s Really at Stake
Second up in our National Cyber Security Awareness Month (NCSAM) blog series – healthcare. The industry may seem like an odd choice, since monetary gain and political considerations are the primary drivers for many cyber-attacks. But healthcare can provide an extremely convenient jumping off point towards those two objectives. Medical records are master keys into a patient’s life; they contain all of the critical data that would enable thieves to clear nearly any security hurdle in assuming an identity for monetary gain or to perpetrate medical fraud. You name the security question and chances are the answer is contained somewhere within your medical history. Compromise of that data can lead to dire consequences.
A recent Poneman Institute survey underscored this imperative, reporting that the cost for data breaches generally is going down, but not for healthcare. According to the study, 1.42 million Americans were victims of medical identity theft in 2010. The report estimates the annual economic impact of medical identity theft to be $30.9 billion. Furthermore, the World Privacy Forum found that the cost impact and demand for medical history and identifiable information in healthcare far outstrips other industries. For example, a stolen medical ID number and record is now worth approximately $50 on the black market as opposed to $1 for a stolen credit card number.
While this is not news to those charged with securing the healthcare system, it remains troubling. As Andy Jaquith reported earlier this year on our blog in a piece titled Your Healthcare Security RX, the truth is that healthcare regulations, like all regulations and resultant security considerations, are constantly evolving. They present complex challenges for hospitals, insurers, life sciences firms and suppliers alike.
That said, a little common sense can go a long way to reducing risk.
1. Tone from the top. When senior management teams set the tone for an informed, enterprise-wide perspective on security and risk oversight, it can drive attitude adjustment throughout the entire organization. Patients always come first, and their security and privacy is no exception. When management leads by example, the organization will follow.
2. Institutionalized risk assessment and audit. This one is just standard blocking and tackling. An astonishing number of organizations lack a formalized, standardized process for the management of risk. Excel spreadsheets and one-off projects may have worked in the old days, but the bad guys have gotten a lot more organized and efficient. You need to do the same.
3. Tiered vendor risk management. Healthcare organizations today rely on numerous partners and vendors. Each has access to different levels of information about patients and medical practices. In order to fully understand the organization’s risk posture, you must look at every single third-party vendor you do business with and identify what sensitive data is transmitted, stored and processed outside of your organization’s walls.
4. Design for defaults. Balancing security and productivity is especially important in clinical settings. In hospitals, access to critical systems without onerous security constraints can literally be a life-and-death matter. Strive to shape the working environment so that effective security policies are built into daily workflows.
5. Implement the right tools to secure electronic protected health information (ePHI). Email encryption is a no-brainer. So are products that help secure mobile devices and applications. Security monitoring services that help prevent and detect potential security breaches are especially important.
By following these five practices, health care organizations maintain high levels of security without impeding productivity.
Trackback from your site.