Cybersecurity is about more than just protecting data -- it's about protecting revenue.
Healthcare is steadily becoming more consumer-focused, and not having proper safeguards and responses pertaining to data security can harm a hospital or health system's brand image. If patients can't trust their provider, they're liable to jump ship entirely.
That wasn't always the case. When HIPAA was first rolled out in 1996, the guidelines were relatively lax and there wasn't a lot of enforcement. For healthcare CFOs, it didn't make much sense to spend money on things that didn't produce revenue or make things more efficient, and that mindset extended to data security measures, as well.
But that is not the case any longer.
Times have changed
By 2010, the industry saw the widespread digitization and automation of records. That's when things started to change, according to David Finn, executive vice president of strategic operations for CynergisTek.
"The bad guys began to think about data in more advanced ways than the good guys did," Finn said. "We thought about using the data to get reasonable and prudent things done, and the bad guys thought of ways to get nefarious things done. Healthcare data is so easy to monetize, and easy to manipulate. Health records can be used for lots of things ranging from insurance fraud to drug diversion."
And the industry continues to lag. From a branding standpoint, that's a problem, and the old thinking that patients would not leave providers over a security incident is not holding up in the long run.
"We know now that isn't true. Patients will leave in significant numbers. There are settings where you may be in a rural community and there's only one provider, and it's harder to make that change," Finn explained. "But if you're in a city and have options, 25 percent or more patients at a breached facility will leave."
This significantly impacts revenue, Finn said.
"Healthcare is based on trust," he said. "If your data has been breached, or if it's gone missing and you can't trust the data in that continuum, you've kind of broken healthcare."
Elements of a strong response plan
Luckily for an impacted organization, customers will likely stay if they appreciate the provider's response. That means timely reporting and a more swift response than, say, a Walmart or a Target. Finn said an organization should address patients very quickly in the event of a security incident and tell them exactly what happened -- and if they're not sure what happened, be honest. Hiding it just doesn't work.
There are a number of areas that hospitals and health systems can strengthen to avoid some of the negative consequences of subpar cybersecurity, and the most important of these areas, according to Finn, is incident response. Based on CynergisTek's research, response has been the single weakest aspect of most providers' cybersecurity preparedness.
"Bad things are going to happen," he said, "and the best thing is to be prepared when those things happen. You're going to have some cyber event, so you need to build a response that accounts for all of the risks. And it matters how you reach out to the media and and how you explain what you're doing, and how you get your data back, restore infected computers. Building a response plan is going to be key, and then working backward from that, that's how you determine what incidents are likely to happen to you."
Another area that needs to be strengthened is inventory. If a provider doesn't know what they have, they're not going to be able to protect it, so it's important for them to know what hardware they have, what systems it's running, and where the vulnerabilities are. Many organizations can't produce an asset inventory of all their devices, or they miss things, such as internet-connected Coke machines. (And yes, they exist and they can be a potential risk.)
Data is the most important asset an organization has, and according to Finn, few have a good handle on their protected health information -- who's using it internally, how it leaves the network, and who it's going to. Solutions exist in the form of data loss prevention tools that can help locate and prevent the loss of data, and track where it's going, even if it's headed to the cloud.
Thinking further ahead
Organizations also need to shore up their mobility and endpoint protection. In the old days, hospitals had computers and servers that were wired, and it was pretty easy to know who was using them. As tablets and smartphones made medicine more mobile, patients started using their devices to connect to a provider's resources. Those providers should adopt broader, more receptive, more secure and more private capabilities around mobile technology, said Finn, particularly since such measures are relatively cheap.
Finn said cybersecurity will continue to be an issue since technology keeps changing, not to mention models of care and business delivery.
"But whether you look at meaningful use and believe it's here to stay or think it's dead, we've definitely moved into a consumer-driven healthcare world," he said. "Patients are going to demand that same functionality from healthcare, so healthcare is going to be forced to catch onto these newer technologies. What I hope is that we've learned some lessons. I hope we've learned enough to at least think a little further ahead than we have in the past."