Difficulties Facing The Healthcare Industry
Criminal attacks on unsuspecting medical practices, hospitals and other areas of the healthcare industry have been happening for years in a digital format. Would-be criminals don’t need to physically walk into the practice and reach behind the counter for sensitive records. Now, thanks to many improvements in technology the vast majority of personal files are shared and kept in digital archives with little protection.
As the tech world surges forward we are seeing an unprecedented amount of data being collected, shared, analysed and stolen on a daily basis. These recent leaps in technology are creating extra points of entry for criminals and more concerns regarding patient privacy than ever before. Despite major media coverage and brazen high profile breaches on governments and global organisations, there is still an upward trend in the frequency and severity of privacy breaches. Some industry vendor reports are indicating these breaches are more likely to happen in the health care industry than any other.
Cyber Insurance Can Help Protect Your Business.
Why Is Healthcare Such A Target?
There are many reasons but some major points which make healthcare a prime target are:
- The content of the data is sensitive and more valuable. For example, stolen healthcare data has been sold for 10 times that of credit card info
- Time critical access. Usernames & passwords being simplified and left openly available for all staff to save time
- The personal data is not easily reset like credit card information. Birth date, names and addresses are nearly impossible to change after a breach
- Healthcare has adopted technology very rapidly without full understanding of the vulnerabilities
- Medical device manufacturers failing to adequately secure the devices
- Typically patient records are stored in large volumes and for many years
- Too many people have acess to patient records
Unique Risks for Healthcare Organisations
- Staggering amounts of Personally Identifiable Information and Protected Health Information collected, analysed and stored on systems
- Sharing of health information with a variety of providers, including specialists
- Mobile devices such as tablets and phones gaining much wider use
- Employee education not up to date which leaves the organisation open to human error
- Systems typically allow access points for hundreds of users including third party vendors
- A heavy dependency on outsourced service providers
- Many organisations have a chain of liability from providers, payors, third party administrators, technology or hardware firms, pharmacy benefit managers, outsourced network service providers and data storage firms
High Profile Breaches
Internationally many medical device manufacturers are being questioned over their failure to ensure the security of their products and instead transfer their responsibility to health care organizations. While these new devices can drastically increase efficiency and diagnoses, they are also creating vulnerabilities for the network they are connected to. Employee error remains the number one cause of exposure but device vulnerabilities are also at alarming rates.
Cyber insurance policies currently have a wide variation of cover and exclusions as the risk is still evolving. Some policies are asking for encryption across all portable devices, clearly defined regular backup and recovery procedures or independent audits and penetration testing conducted regularly. Over time we will see a clearer understanding and standard of cover.
Some unforeseen risks can arise after a cyber attack as a result of an office being forced to return to paper. The integrity of data and security of the health records; and identity theft of patients also being important risks to consider when reviewing insurance policies.
We recommend that medical industry staff understand the coverage they are getting and make sure ransomware and 3rd party costs are covered in their policy.
Overall though maybe the most important preventative measure at the moment is to educate employees. Current vulnerabilities, scams and prevention methods should be regularly circulated for employee knowledge. One email can breach the entire network, as a result we suggest getting employees to subscribe to the MailGuard blog and follow Cyber Insurance Australia on Linkedin & Facebook for regular updates and information.