Cyber security breaches in the healthcare industry are very costly. In the USA alone they cost over $6 billion a year. Almost 90% of the hospitals report having suffered a breach over the last two years. These violations result in about half a million dollars in brand erosion for each such incident. The legal settlement cost itself averages at about one million dollar per incident. This is in addition to the cost of lawsuits averaging about 880K USD per episode. On top of these, there are other costs such as lost revenue, post-breach cleanup and breach forensics that are quite high. Continuous data breaches can cripple the industry by the sheer expense it needs to bear as a result of a breach.
Why is this cost so high?
Unlike many other industries, where only personally identifiable information (name, address, contact details, etc.) and financial details (credit card details, bank details, etc.) about a customer are stored, healthcare industry stores much more critical data of their clients. This includes patient’s medical history and conditions, the treatment provided and other information which can have a social and economic impact on patient’s life. Additionally, availability of patient’s medical records is crucial during emergency situations. If medical records are erased or inaccessible due to a cyber-attack, patient’s life can be at risk. This makes cyber security all the more critical for healthcare industry.
Steps to make healthcare IT infrastructure secure
A healthcare provider must keep its patient’s data safe and secure not just for business reasons but also for legal compliance. Here are 5 simple steps to make the security of data stronger in the healthcare industry:
- Make IT Architecture compliant with healthcare specific standards and frameworks: There are enough standards and frameworks that define the system architecture healthcare. These standards have well-defined processes that should be followed to protect the infrastructure from external attacks. The organization should conduct a deep analysis to identify the gaps between its existing architecture and such standards and plug them quickly.
- Data Encryption: This is one of the most important safety precautions that healthcare organizations need to take. Sharing of data is unavoidable in today’s world. Data transfer through various mediums between different companies and amongst healthcare workers is an everyday affair. However, they should do such transfers over secure channels. The data being transferred as well as static data (stored locally or on cloud) must be encrypted at all times.
- Securing Endpoints: Identify the nodes from where data can escape from the system and secure USB drives, Bluetooth devices, Terminal screens (using screen print), public email sites, social media sites, Instant Messengers etc. are some of the nodes which need to be secured. As a first step, these should be disabled. If access must be given, it should be as an exception and for limited period only. When securing endpoints, many organizations seem to forget about the computer screen and printers. These can be used obliquely to extract data from the system and thus should be included in the endpoint protection plan.
- Access Control: No user should be able to access any system or data unless it is required to perform his job. There is no reason for an administrative purchase clerk to see patient’s X-ray images and records. All accesses should be reviewed from time to time. Organizations are often careless about removing access control of employees who leave the organization. They should be vigilant about the same and do it as a priority.
- Legacy Systems: Computers have been around for ages now. Although IT systems are regularly updated to newer versions, reliance on legacy system is still a reality. These old systems are especially vulnerable to cyber attacks. Special attention should be paid to the security of such systems. Strong access policy, network isolation and external network safety devices should be used where possible.
Securing data in healthcare requires stringent policies which are compliant with regulations. The system implemented should be easy to manage yet provide complete control over infrastructure along with strong defense against cyber attacks. Seqrite Endpoint Security solutions and Unified Threat Management solutions (Seqrite Terminator) provide integrated, easy to manage solutions that ensure the protection of the critical data without compromising safety. With Seqrite, healthcare professionals can focus on what they do best: Save lives.