Jan 14 2019

Bottom Line: For Healthcare Organizations, Security Is Everyone’s Responsibility

Preparing for a cyberattack can be costly, but failure to do so can be devastating.

Cyberattacks and security measures, no doubt, can have a tremendous impact on any organization’s bottom line. The average cost of a data breach in the U.S. is $7.91 million, according to the Ponemon Institute. That figure includes detection, notification costs and redress activities, as well as lost business.

Healthcare, in particular, has the highest per capita data breach cost — $408 — out of all industries. Even scarier: More than 90 percent of healthcare organizations have reported data breaches since the third quarter of 2016, according to Black Book Research.

MORE FROM HEALTHTECH: What providers can do in the wake of a cyberattack.

Providers Fight an Uphill Battle for Protection

To make matters worse, a majority of providers likely are fighting an uphill battle to keep top security talent, according to Partners HealthCare CISO Jigar Kadakia. At the joint HIMSS-College of Healthcare Information Management Executives cybersecurity forum last year, Kadakia said that the best information security professionals often command higher salaries in other sectors. Cybersecurity spending in the industry is low and stagnant, with providers allocating only 3 percent of their overall IT budgets to security since 2016, according to Black Book — far less than what other industries spend.

So, what can healthcare IT executives do to reduce risk and mitigate the costs associated with a breach?

Cybersecurity Frameworks and Assessments Are Critical

For starters, organizations should review their baseline device and IT environments. Providers typically use a mix of old and new equipment, including multiple disparate networks, hardware and applications, as well as homegrown and custom equipment and software. A detailed accounting of such tools and systems is an essential first step on the path to a healthier environment.

Adding a cybersecurity framework — a set of policies, procedures, best practices and governance — is also a good idea. Examples include the National Institute of Standards and Technology Cybersecurity Framework and the Health Information Trust Alliance’s Cybersecurity Framework. Today, many healthcare organizations have adopted such a framework, and 40 percent are using more than one, according to Symantec.

What’s more, providers must conduct security risk assessments, including penetration tests and simulated phishing, at least once a year to ferret out points of entry and weaknesses in their IT infrastructures. All the various assessments and frameworks won’t matter, however, without proper training and insider threat management programs.

Healthcare Organizations Must Emphasize Security Education

IT must emphasize end-user education, especially considering the constant dangers looming in email. A 2018 survey from Mimecast and HIMSS Analytics found that a majority of responding CIOs and IT directors believe email was the most likely source of a breach in their organization. Phishing, in particular, is a serious problem, according to another HIMSS report.

“Users are really scared to use email today,” Randall Frietzsche, CISO and privacy officer for Denver Health, told HealthTech. “They get email that they’re afraid to click on and they hear all the horror stories.”

Cybersecurity hygiene is everyone’s responsibility. Dedicating more time to frequent personal development and security training for those already on staff is a relatively inexpensive and easy way to take steps in the right direction. What’s more, it helps to ensure security is top of mind for executives as more resources are needed.


Yuri_Arcurs/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT