The healthcare sector is without a doubt one of the most targeted industries for cyber hackers. Different industries have different types and degrees of cyber risk exposure. But hackers and malicious campaigns take aim at the healthcare sector in particular due to the private nature and black market value of the data.
Personally Identifiable Information (PII) and Personal Health Information (PHI) contain data that could easily be used to steal someone’s identity, open false accounts, perform fraudulent transactions, or gain access to bank and other private accounts.
The average cost per stolen record for a healthcare organization is as high as $363, more than twice as much as average across all industries. As more and more health information is being stored in the cloud, healthcare provider exposure levels are increasing dramatically. Add to that the fact that most providers are neither equipped to proactively defend against, nor respond to a cyber breach, and you’ve got a recipe for disaster.
Cyber attacks or other business interruption events such as lost or stolen data, a Distributed Denial of Service (DDoS), or Ransomware may seriously impact a healthcare provider’s business reputation and financial standing. In addition, regulatory fines may be in the millions of dollars. With the average number of breached records in the healthcare sector at 58,070 and the above-mentioned cost per record at $363, firms with a modest number of breached records could face costs upwards of $20 million.
Even the average cost per breach of $5.9 million to $6.5 million is enough to cripple smaller healthcare providers that are unprepared to respond or operating without proper Cyber insurance.
So what should a healthcare provider do to be prepared for a cyber breach or business interruption event?
A risk register will help a company’s C-suite and department heads wrap their minds around the various exposures the organization faces related to Cyber Risk. Once the risks are identified and the current mitigation strategies evaluated, plans can be developed to strengthen security and minimize risk. Additionally, a risk register enables the alignment of risks with an enterprise level risk appetite.
Strong Policies and Procedures
Your organization should have a well thought out Incident Response Plan and Disaster Recovery Plan in order to survive and recover from a cyber event. Other security policies such as data encryption, data segregation, strong password policies, two-level authentication, mobile device management and patch management will also strengthen the forward defenses against a breach.
Have your IT staff or a specialized firm proactively assess your security protocols and IT policies and procedures. They will generally perform penetration testing, gauge the security awareness of your staff and assist with the development of Disaster Recovery Plans. Remember, assessments should be performed on a consistent schedule because if updates/maintenance is not performed, the security of applications and devices will become lax and easy to circumnavigate.
Continually educate your staff to identify cyber threats and understand what to do if they recognize a suspicious event.
Maintain Cyber Insurance
Cyber Liability coverage is still maturing, but it will protect your company’s assets when a breach occurs. Since there is little to no uniformity between policy forms offered by the carriers, the coverage should be carefully tailored to protect your organization, and reviewed by an expert who understands both the intricacies of the coverage and the cyber exposures faced by healthcare providers.
Understand Breach Notification Obligations
US-based organizations have an obligation to report cyber incidents. The obligations change depending on the state. Companies in other parts of the world have much less stringent to zero notification obligations, but that, as we’ve seen with the EU’s General Data Protection Regulation (GDPR) is changing. Understanding your obligations is an often-overlooked part of mitigating Cyber Risk.
For more on the full cost of a data breach, here's a widely-respected independent study on the topic.
Being prepared to respond to an event can be the game-changer needed to ensure the organization survives a cyber breach.
If you have questions about managing your healthcare organization's Cyber Risk, or you would like more information, please contact us.