Cyber-attacks prove to us that protecting patients’ sensitive health information is extremely important. The Healthcare Information and Management Systems Society believes the average healthcare organization applies 3% of their IT budget on security, which is not enough. For the health care industry, recovering after an attack results in more than password changes, warnings, and a list of tips and investigations from the FBI. Just last year, the FBI warned health care providers of their inadequate cybersecurity systems. According to Reuters, fraudsters value health data over credit card numbers, since obtaining PHI provides the ability to illegally gain access to prescription medications and valuable financial information. When practices and companies experience a cyber-attack, patients can be exposed to medical identity theft resulting in losses upward of $12 billion annually (Ponemon Institute).
Despite the devastating impact cyber-attacks have on patients and providers, the people making spending decisions frequently do not see the value in paying for security until after a loss has occurred. Anthem’s breach affected roughly 80 million Americans, which questions the security of data as the health care industry moves away from paper to electronic health records. Owning private health information means that patients not only trust healthcare professionals to provide effective treatment, but they also trust them to store and manage their information securely.
Patients aren’t the only vulnerable victims after an attack, but practices/companies with and without cybersecurity insurance can face class action suits and penalties for violating HIPAA regulations. Given Anthem’s breach, Dr. James Madara, CEO of the American Medical Association, had this to say about securing PHI “if cybersecurity isn’t something that’s at the top of your list as an insurer or an integrated system, it has to get there very quickly” (Modern Healthcare). Experts in the health care and security industry agree with the SysAdmin, Audit, Networking, and Security (SANS) Health Care Cyberthreat Report’s statement “compliance does not equal security”.
The Healthcare Billing and Management Association (HBMA) has provided a framework for evaluating your organizations practices and becoming proactive about cybersecurity. Click the link for more in depth information about HBMA’s cybersecurity best practices. In brief, their five core elements of data security include:
1. Identifying the risks.
2. Protecting the data.
3. Detecting any breaches.
4. Responding to any breaches.
Every healthcare professional is probably more than thankful that their organization was not a victim of the latest cyber-attack involving Anthem. Unfortunately, being thankful that it was “them and not us” this time doesn’t protect the PHI (Protective Health Information), which providers and other healthcare organizations are entrusted with. SANS is an organization designed to help companies understand the required action they need to take to defend their systems and networks against security threats. Barbara Filkins’ SANS survey highlights our “risks are exponentially increased because of organizations’ reliance on electronic systems for mission-critical functions”. While examining a data sample of over 100 terabytes, Filkins’ data focused on the healthcare industry, and discovered that health care providers received 72% of the malicious internet traffic from the sample.
Cybersecurity is a monstrous threat that can take down our basic resources, if they are connected to a network, with a single click. Unpredictability makes cyber-attacks even scarier! With medical equipment becoming increasingly network-dependent, and the rise of medical based software and wearable technologies, the security of our data is becoming more vulnerable.
“Connected medical devices, applications and software used by health care organizations providing everything from online health monitoring to radiology devices to video-oriented services are fast becoming targets of choice for nefarious hackers taking advantage of the IoT to carry out all manner of illicit transactions, data theft and attacks. This is especially true because securing common devices, such as network-attached printers, faxes and surveillance cameras, is often overlooked. The devices themselves are not thought of as being available attack surfaces by health care organizations that are focused on their more prominent information systems.” (SANS-Norse Health Care Cyber Threat Report)
At ImagineSoftware our CEO Sam Khashman is fully aware about current and potential cybersecurity threats, as a member of Infragard, an organization partnered with the FBI and the private sector. Our CEO, goes out of his way to inform the ImagineTeam about cybersecurity and how it impacts our clients, our organization and personal lives. In November of 2014 we welcomed Zal Azmi as our Chief Strategy Officer to help prepare Imagine and revitalize our cybersecurity policies. Azmi is the former Chief Information Officer for the FBI, and a variety of leadership positions within the Department of Defense Federal and Intelligence agencies. Part of Azmi’s cybersecurity policy revitalization includes hiring a team of cybersecurity experts, which positions Imagine as an invested industry leader in medical billing. Khashman had this to say about our new team member “His experience and knowledge will benefit the longevity of our clients and our organization, and assist with high level information technology and security measures.” We, the ImagineTeam, value the security of our clients and their patients’ PHI, and seek to be intentionally excellent in all avenues of our business, Imagine On!
Conn, Joseph. "Experts Say Anthem Data Breach May Not Be Enough to Convince Healthcare Firms to Improve IT Security." Modern Healthcare. Modern Healthcare, 7 Feb. 2015. Web. 11 Feb. 2015
Filkins, Barbara. "Health Care Cyberthreat Report Widespread Compromises Detected, Compliance Nightmare on Horizon." (n.d.): n. pag. Feb. 2014. Web. 09 Feb. 2015.
Filkins, Barbara. "New Threats Drive Improved Practices: State of Cybersecurity in Health Care Organizations." SANS Institute Reading Room. Cigital, CloudPassage, FireEye, Qualys, RiskIQ, Tenable Network Security and Trend, Dec. 2014. Web. 9 Feb. 2015.
Finkle, Jim. "Exclusive: FBI Warns Healthcare Sector Vulnerable to Cyber Attacks." Reuters. Reuters, 23 Apr. 2014. Web. 9 Feb. 2015.
Munro, Dan. "Health Data Breach At Anthem Is A Blockbuster That Could Affect 80 Million." Forbes. Forbes Magazine, 5 Feb. 2015. Web. 11 Feb. 2015.
Munro, Dan. "New Cyberthreat Report By SANS Institute Delivers Chilling Warning To Healthcare Industry." Forbes. Forbes Magazine, 20 Feb. 2014. Web. 11 Feb. 2015.
Munro, Dan. "The Top U.S. Healthcare Story For 2014: Cybersecurity." Forbes. Forbes Magazine, 21 Dec. 2014. Web. 9 Feb. 2015.