7 Cybersecurity Lessons the Healthcare Industry had to Learn the Hard Way

[Editor’s note: Today’s guest post comes to us courtesy of business technology consultant Rick Delgado. Thanks Rick! If you have something to say on the topic of crisis or reputation management it could wind up right here on the BCM blog. Email erik@bernsteincrisismanagement.com for more information.]

7 Cybersecurity Lessons the Healthcare Industry had to Learn the Hard Way

The need for cybersecurity isn’t news. In 2015 the cybersecurity market reached $75 billion and is projected to hit $1 trillion between 2017 and 2021. Much of the “sudden rush” to secure computers, networks, systems and data has come at the unfortunate breach of certain companies, especially in the healthcare industry. Simple mistakes made in the past and the lessons learned from them are what has put the industry where it is now. Today, the healthcare industry puts large stressors on the need for cyber and data security, but this wasn’t always the case. When looking at the attacks, breaches and simple mistakes made within companies and organizations that have been hit, a few big lessons stand out.

Healthcare Data is Pure Gold

Patient data is one of the most sought after forms of data on the black market today as it contains information that cannot be changed or “frozen”–such as a credit card–when stolen. Dates of birth, social security numbers, and home addresses are all important information included within patient files and are also the most damning when stolen.

Humans are Fallible

Another big lesson learned is that humans are fallible. We may begrudge our systems that require passwords that resemble computer code more than words, but some of the easiest breaches have come when cybercriminals have found ways through our weakest links: ourselves. Recognizing the human error aspect pushed forward a plethora of new initiatives that went from more secure passwords to even more awareness training: employees at healthcare facilities such as hospitals and private practices are required to update their passwords every three months or so, others are required to lock their computers or log out when they step away–even to run to the restroom. Training also included online medical transcription courses to lessen the number of hands that secure data was passing through.

Outdated Technology is a Death Sentence

A DDoS attack that happened on DYN that shut down major websites came about from unprotected digital cameras. According to James Scott, ICIT Senior, this breach showed a “Frankenstein method of security.” Moreover, computers that sit in back rooms that use outdated software or insufficient protection can become the very portals for cybercriminals to get in. Security systems should be consistent and always up-to-date. Don’t piece together different systems hoping that it means you are covered. Don’t let things slip onto the backburner either. IT departments should be on top of their updating schedules.

Third-Party Associates are a Gateway in

In addition to this, organizations can be on top of protecting their own systems but not be aware of the third-party gateway that hackers use – business partners. Several breaches in the healthcare industry in 2016 came through vendors. According to Pam Hepp, shareholder, healthcare practice at Buchanan, Ingersoll & Rooney “these breaches illustrate the importance of thoroughly evaluating vendors and having strong business agreements in place.”

Cybercrime Has Become its Own Industry

Stolen patient records can reach above $360 per record on the black market according to data from Ponemon Institute. Medicare ID numbers found by Greg Virign, CEO of RedJack, were being sold for 22 bitcoins–about $4,700. Due to this, cybercrime has become it’s own industry, drawing in even the lowest of talented hackers as it promises massive payouts. The attacks won’t be going away.

It Can’t be Done Alone

Most healthcare organizations don’t have the wherewithal or resources to execute cybersecurity strategies alone. Cybersecurity companies have begun to crop off offering the correct knowledge and help that organizations need to help fill in gaps and secure their systems. Healthcare organizations need to invest in outside resources and partnerships that will offer greater knowledge and due diligence.

Don’t Be the Last

Among these lessons learned is that the healthcare industry didn’t prevent privacy breaches and additionally didn’t embrace information technology soon or quickly enough. Waiting for another organization to be hit or waiting for news of a breach should never be the reason why you should invest in security. Instead, investments need to be made far in advance, as preventative, rather than after-the-fact.

Rick Delgado is a business technology consultant for several Fortune 500 companies. He is also a frequent contributor to news outlets such as Wired, Tech Page One, and Cloud Tweaks. Rick enjoys writing about the intersection of business and new innovative technologies.