In 2016, cybercriminals have set their sights on healthcare. Ransomware is unfortunately the new normal. Healthcare has two major problems when it comes to digital security: a near-exclusive focus on defending patient records, and measures that target unsophisticated adversaries and blanket attacks.
According to “Hacking Hospitals,” a two-year study by Independent Security Evaluators of 12 healthcare facilities, two healthcare data facilities, two healthcare technology platforms and two medical devices: the study concluded healthcare has two major problems when it comes to digital security: a near-exclusive focus on defending patient records, and measures that target unsophisticated adversaries and blanket attacks.
Healthcare provider organizations should not fool themselves: It’s not as much about preventing intrusions as it is managing intrusions. They will occur! Just in thew last four months: in February, hackers launched a successful ransomware attack against Hollywood Presbyterian Medical Center, holding the hospital’s data and normal operations hostage until the hospital ultimately paid the hackers 40 bitcoins (about $17,000). Then hackers attacked Los Angeles County Department of Health, Chino Valley Medical Center and its sister site Desert Valley Medical Center, Methodist Hospital in Kentucky and MedStar Health in the nation’s capital.
And healthcare organizations, by and large, are NOT prepared. More than 80 percent spend less than 6 percent of their IT budgets on security, and more than 50 percent say that figure is less than 3 percent, which is alarmingly low, less that half of other industries or government. Also 75 percent of healthcare organizations say security is only mentioned at board meetings some of the time or upon request, which shows the lack of strategic importance healthcare organizations give security, the study says. And cybersecurity training and education for end-users ranks very low when it comes to the amount of importance it is given by healthcare organizations.
Overall, most provider organizations have a tactical approach to security rather than a strategic approach, reacting to immediate threats rather than deploying a comprehensive strategy.
HEALTHCARE: It’s time to get serious about security and protect your patient’s data as requested by HIPAA law!