By Urszula Skarzynski, Manager, Assurance Services
Cybersecurity is a forefront financial concern of all healthcare organizations. Although every industry is wrestling with the threat of cyberattack, due to the sensitive nature of healthcare information, healthcare organizations have witnessed the most significant increase in cyber breaches. Healthcare providers continued to be the most targeted organizations for industry cybersecurity breaches with nearly 4 out of 5 breaches. Over 93 percent of healthcare organizations have experienced a data breach since 2016. Security breaches can happen anywhere there is a connected electronic device, which includes CAT scans, MRI machines, cell phones, and computers. Devices are networked together and often communicate to the internet and cloud. As the government and healthcare organizations strive for interoperability, more coordinated care and patient focused care, providers have become more vulnerable to these attacks.
The price of violation in healthcare is extremely high. The Department of Health and Human Services’ Office of Civil Rights (OCR) administers penalties beyond the costs of resolving breaches and civil complaints. OCR applied a total of $28 million in 10 resolutions in 2018 alone.
Based on HIPAA Journal’s October 2019 Healthcare Data Breach Report, the total number of breached healthcare organization records in 2019 exceeds the 38 million mark, which equates to 11.64% of the population of the U.S. The most significant causes of security breaches related to hacking, IT incidents and unauthorized access. Phishing also continues to cause problems for healthcare organizations, as not only are providers struggling to block these attacks, they are also undetected timely when they occur.
Although the healthcare industry has the most significant number of cyber breaches, the industry is behind others in taking safety steps. Based on studies conducted by Healthcare Tech Outlook, cybersecurity accounts for only 4 to 7 percent of IT expenditures of a health system compared to around 15% in other sectors, such as the financial industry.
According to 90 percent of hospital representatives answering the Black Book cybersecurity survey, IT security budgets have remained level since 2016, and a third of hospitals that purchased cybersecurity solutions between 2016 and 2018 did so blindly without including users or affected department managers in the purchasing decision. A significant number of healthcare organizations did not have formally identified security objectives, did not carry out measureable assessments of their cybersecurity status, and did not perform drill of their incident response process.
As the healthcare industry continues to make technological advances, whether in the surgery suite or the finance department, the increase in data collection and sharing will only increase the exposure to security breaches faced by healthcare organizations. To protect against these breaches and penalties resulting in financial and reputation damages, organizations must take preventative measures.
OCR will continue to focus on security risk assessment violations and risk management regulations. Although there is no one-size-fits-all solution, one of the most effective ways to reduce expenses related to cyber risk exposure is to avoid infringement. All breaches cannot be stopped; however, healthcare providers can minimize damage by detecting and responding to breaches quickly. All organizations should perform organization-wide assessment of threats and vulnerabilities and steps to decrease threats, which include education of employees, vulnerability/penetration studies, obtaining cybersecurity coverage and formalized documentation of IT policies and procedures.