Health data is among the most coveted data by hackers. More patient records were breached in the first half of 2019 than in all of 2018. Medical records are worth more on the deep web than credit card and Social Security numbers.
And breaches are costly: Healthcare organizations pay an average of $6.45 million per incident, which is 65 percent higher than mitigation costs seen in other industries, a Ponemon Institute/IBM Security report finds. Even worse, loss of critical IT systems and patient data, even briefly, hinders the power to provide care when seconds count.
Brutal stories of ransomware attacks on small medical practices have peppered the news in recent months. A Wall Street Journal article published in October cited the particularly crippling effects on small systems; some practices have even been forced to close.
Because 57 percent of all medical practices in the U.S. have 10 physicians or fewer, according to the American Medical Association, these providers may lack IT resources or general knowledge of potential threats.
But no healthcare business, regardless of its size, can afford to suffer a security breach, whose added resulting costs may include HIPAA fines and reputational damage. It’s why a comprehensive cybersecurity assessment — combined with ongoing, real-time monitoring — is crucial.
What Happens During a Cybersecurity Assessment
Security assessments give organizations a clearer picture of vulnerabilities and weaknesses in their environment, as noted in CDW’s 2019 Cybersecurity Insight Report. These evaluations, each one unique, also can help IT and business leaders take effective measures to implement security solutions.
The guide identifies several types to consider:
- Network assessments to review your IT infrastructure and identify risks that might arise from insecure network configurations or outdated software across traditional or wireless networks
- Application assessments that look for vulnerabilities in the functionality of applications that run on your network — a service particularly valuable for organizations that develop their own applications
- Advisory assessments for evaluating infrastructure security from a higher level; these take a holistic view of your complete security program to analyze strategy, best practices and gaps to address
For concerns that require deeper analysis, penetration testing may be necessary. This involves “ethical hacking” by a trusted outside party into your network, website, Wi-Fi or other infrastructure.
CDW teams are often successful in accessing mission-critical database servers and diagnostic information with inadequate or missing passwords, a CDW white paper notes. One CDW tester found a pharmacy application running on an internet-accessible Unix server with a password that was the same as the host name. Likewise, studies have found many internet-accessible radiology systems don’t even have passwords.
Healthcare Cybersecurity Is a Never-Ending Task
It may be challenging at first to secure buy-in from executives for a cybersecurity evaluation, but we’ve reported many cases in healthcare where the investments have been well worth the cost. Linking the benefits to your bottom line can ultimately help redirect IT resources and focus on weak spots that, if breached, could be detrimental.
Still, it’s important to remember that assessments won’t guarantee immunity from breaches, the CDW cybersecurity report notes — and they’re ineffective unless everyone in your organization knows the risks and follows best practices.
Which is why cybersecurity training that involves all staff members is also crucial — but 1 in 4 healthcare workers has never received this training, and it only takes one end user to click a malicious link or misplace an unprotected mobile device to put the system at risk.
Coupled with ongoing monitoring and a robust action plan, an assessment can inspire resilience and condition everyone to be watchful in the face of growing outside threats.
Because when it comes to a security breach, it’s a matter of when, not if. Don’t sleep on the opportunity to stay one step ahead — and to protect the best interests of patients, staff and your practice’s reputation.
This article is part of HealthTech’s MonITor blog series. Please join the discussion on Twitter by using #WellnessIT.