Hardly a month goes by that we don’t hear about a cyber or ransomware attack on a healthcare provider, manufacturer or health plan. Though major attacks are the ones that make the news, healthcare providers across the country face the risk of an attack of any size.
The Privacy Rights Clearinghouse estimates that more than 900 million records have been breached in the United States since 2005 as a result of nearly 5,200 reported incidents. Of those, about 30 percent—more than 1,500 data breaches—occurred in the healthcare industry.
Adam Greene, a partner with Washington, D.C.-based law firm Davis Wright Tremaine LLP, gives the healthcare industry a C-minus for its preparation for and response to cybersecurity and ransomware threats.
“As an industry, we lag behind other industries with respect to attention to information security,” said Greene. “For a long time, information in the healthcare industry wasn’t something that was looked at outside of clinical settings. Plus, we have a lot of small providers who lack resources to address this issue while they also try to stay on top of healthcare reform and other pressures of a changing marketplace.”
In fact, the 2016 Healthcare Industry Cybersecurity Report by SecurityScorecard reviewed the security ratings of more than 700 organizations in the healthcare industry— including treatment centers, insurance providers, manufacturers and hospitals—and found that healthcare has the fifth-highest number of ransomware attacks of all industries. The survey also found that 96 percent of ransomware attacks in healthcare targeted medical treatment centers.
How to respond? Greene offered these three tips to protect your practice from cyber or ransomware attacks:
- Tackle risk analysis the right way. An organization shouldn’t merely go through a checklist of risks that’s taken off the shelf and revisited once a year. “It’s looking at where your information is coming in, where it’s stored and going out the door, and looking at all the threats facing at it along the way—not just outside cyber threats but also insider threats or natural threats,” said Greene. Constantly assess new risks on the horizon and plan strategies to prepare.
- Educate your staff, but be realistic. The topic of cybersecurity risks should be revisited with staff frequently—in particular, reminders not to click on links in phishing emails, which pose a significant risk for ransomware invasion. In fact, a 2016 report from PhishMe indicated that more than 90 percent of phishing emails contain encrypted ransomware. “No matter how good your training is, there are still going to be a few people who click that link,” Greene said. “Think about what technical measures can be put in place to minimize the impact to the organization when they do so.”
- Seek outside support. “They want to be able to offer patient care. Internet security is not what they’re there for,” Greene said of providers. That’s why many providers should seek assistance from outside firms to help with cybersecurity strategies. “You can never completely outsource security. There will always be some fundamental responsibility on the healthcare provider,” he added. “But more and more, we are facing the reality that there’s not necessarily the economics or expertise for information security to be done completely in house.”
What’s the next big threat on the horizon? It will be whatever is easiest, lowest in risk and highest in profit for cyber criminals, Greene said. For now, that means ransomware attacks aren’t going anywhere, and the nature of future attacks is uncertain.
“Healthcare organizations need to get proactive in bringing in people with appropriate information security expertise to not just address vulnerabilities,” Greene said. “They need to take a systematic approach in identifying new issues and managing them with an ongoing process.”