Experian predicts more pain and suffering for healthcare industry
Experian released their fourth annual 2017 DATA BREACH INDUSTRY FORECAST. It covers several industry specific predictions, including Healthcare. If you haven't heard, healthcare is under attack and it's going to be full on war in 2017. The cyber attackers are expected to re-invest funds to create more sophisticated software and better targeting of data to steal.
A few points made in the report:
- Protected Healthcare Information (PHI) or patient records are one of the most valuable sources of data for cyber attackers to sell on the dark web.
- IBM says over 100 million records were compromised (in 2015) making healthcare a top target of cyber criminals.
- It states, "...as medical identity theft remains lucrative and easy for cyber criminals to exploit..." which means the healthcare industry is NOT making it difficult for criminals to steal the information.
- It is likely EHR systems will become a primary target. Many of them cache non-encrypted data on the workstations.
- Ransomware will continue to be a top concern in 2017.
"Ransomware presents an easier and safer way for hackers to cash out; given the potential disruption to a company, most organizations will opt to simply pay the ransom."
- It is estimated cyber criminals are making over $300,000 per day on ransomware, fueling the development of new variants of the software. New variants of ransomware "will likely be able to evade many of the security detection systems that were developed."
The Report's Takeaway for Healthcare:
"As attackers shift their focus, an increase in hospital breaches means the consequences for healthcare organizations that don’t properly manage this risk will increase. Healthcare organizations of all sizes and types need to ensure they have proper, up to date security measures in place, including contingency planning for how to respond to a ransomware attack and adequate employee training about the importance of security."
My Takeaway for Healthcare:
- You need to have a third party perform a risk assessment, which includes a privacy and security risk analysis.
- You need to implement policies and procedures.
- Your entire staff needs to take current HIPAA training that includes cyber-security training.
- You need to work on correcting the issues found in the risk assessment.
- You need to insure patches are being applied to computers and network equipment regularly.
- You need to harden your cyber security ASAP. Yesterday would have been best.
- You need to create a diagram of where your PHI resides and have your IT department help secure and protect it.
Protect your patients, protect your practice, protect yourself.