As Cyber Risk continues to evolve, it is becoming very evident that while it is spread over a variety of industries, the types of Cyber Risks are specific to each industry and play a major role in their level of exposure. The healthcare sector in particular, is targeted most heavily by hackers and malicious campaigns due to the private nature and black market value of the data. Personally Identifiable Information (PII) and Personal Health Information (PHI) contain data in which a bad actor can easily steal someone’s identity, open false accounts, perform fraudulent transactions, or hack/gain access to bank and other types of private accounts.
Ponemon’s 2015 Cost of Data Breach Report notes that while the global average cost per stolen record in a data breach is $154, the average cost per stolen record for a healthcare organization could be as high as $363 – making it the obvious target for hackers.
With the adoption of electronic PHI record keeping, the level of a healthcare provider’s exposure increases dramatically. This coupled with the fact that many healthcare providers are not equipped to, both, proactively defend against breaches and respond to one when it occurs, is a recipe for disaster.
Cyber or business interruption events such as lost or stolen data, a Distributed Denial of Service (DDoS) or Ransomware threat may seriously impact the healthcare provider’s business reputation and financial standing. In addition, regulatory fines may be in the millions of dollars. With the average number of breached records in the healthcare sector at 58,070 and the above mentioned cost per record at $363, firms with a modest number of breached records could face costs upwards of $20 million. Even the average cost per breach noted in the Ponemon study of $5.9 million to $6.5 million is enough to cripple smaller healthcare providers that are unprepared to respond or operating without proper Cyber insurance.
What should a healthcare provider do to be prepared for a cyber breach or business interruption event?
- Risk Register – A risk register will help a company’s C-suite and department heads wrap their minds around the various exposures the organization faces related to Cyber Risk. Once the risks are identified and the current mitigation strategies evaluated, plans can be developed to strengthen security and minimize risk. Additionally, a risk register enables the alignment of risks with an enterprise level risk appetite.
- Strong Policies and Procedures – Your organization should have a well thought out Incident Response Plan and Disaster Recovery Plan in order to survive and recover from a cyber event. Other security policies such as data encryption, data segregation, strong password policies, two-level authentication, mobile device management and patch management will also strengthen the forward defenses against a breach.
- IT Forensics – Have your IT staff or a specialized firm proactively assess your security protocols and IT policies and procedures. They will generally perform penetration testing, gauge the security awareness of your staff and assist with the development of Disaster Recovery Plans. Remember, assessments should be performed on a consistent schedule because if updates/maintenance is not performed, the security of applications and devices will become lax and easy to circumnavigate.
- Employee Training – Continually educate your staff to identify cyber threats and understand what to do if they recognize a suspicious event.
- Maintain Cyber Insurance – Cyber Liability coverage is still maturing, but it will protect your company’s assets when a breach occurs. Since there is little to no uniformity between policy forms offered by the carriers, the coverage should be carefully tailored to protect your organization, and reviewed by an expert who understands both the intricacies of the coverage and the cyber exposures faced by healthcare providers.
- Understand Breach Notification Obligations – US-based organizations have an obligation to report cyber incidents. The obligations change depending on the state. Companies in other parts of the world have much less stringent to zero notification obligations, but that, as we’ve seen with the EU’s General Data Protection Regulation (GDPR) is changing. Understanding your obligations is an often overlooked part of mitigating Cyber Risk.
The healthcare sector is, without a doubt, one of the most targeted industries for cyber hackers. Being prepared to respond to an event can be the game-changer needed to ensure the organization survives a cyber breach.
Click here to request more information or if you have any questions on managing your healthcare organization’s Cyber Risk.