The healthcare industry seems to be evolving into a primary target for hackers.
Since January 1, 2015, there have been 60 'hacking/IT incidents' reported to the Office for Civil Rights Breach Portal, affecting nearly 112 million patients. That represents a 77 percent increase in reported incidents from 2014 to 2015. Of important note, the portal only publishes a breach if 500 or more individuals are involved, so it's likely these are low estimates.
Even with this mounting number, healthcare organizations still remain largely vulnerable, and likely will into 2016 and beyond.
According to Aon's 2015 Global Risk Management Survey, cybersecurity is now recognized – for the first-time ever – as one of the top ten threats to companies worldwide.
And one of the industries most threatened is healthcare. The Identity Theft Resource Center reported that the healthcare industry accounted for more than one-third of all data breaches in 2015. Moreover, a study by PwC found that cybersecurity incidents jumped by 38 percent from 2014 to 2015.
PwC respondents also identified that they were taking a more proactive stance against cyber threats, ramping up information security budgets by 24 percent in 2015.
An unprecedented move
While several organizations are taking steps to improve security networks and minimize vulnerabilities, hackers remain diligent.
Recently, a Los Angeles hospital's computer system was attacked, barring access to the facility's EMR for approximately three days. The hackers encrypted the files so that none of the hospital's users could gain entry.
In an unprecedented move, the hospital elected to pay the hackers $17,000 in bitcoins to release the files because it was the "quickest and most efficient way" to regain access to the EMR.
Going beyond the status quo
Up until now, it's been a common belief that larger organizations were most at risk and vulnerable to hackers. However, it's becoming evident that virtually any system, regardless of size, can become a target. Considering how even a small healthcare practice's database can contain the personal health information of thousands of patients, it's a growing concern for all in the industry.
Because of these growing concerns, the Obama administration has also taken action. The President authorized the formation of a new intelligence agency in 2015, which is tasked with pooling cyber attack details, identifying trends, and disseminating breach information. This comes on the heels of major security breaches including Home Depot, Anthem, and Target.
On an individual level, organizations are using additional resources to bridge security gaps. According to the PwC study, 91 percent of organizations are utilizing a risk-based security framework to identify – and correct – system weaknesses. This framework serves to not only minimize the risk of HIPAA security breaches, but it also satisfies Meaningful Use requirements.
Ultimately, healthcare organizations must find a way to identify and correct security deficiencies and ensure protection of their patients' personal health information.
How is your healthcare organization addressing the rise in cyber threats? Please join the conversation below.