In the first half of 2015 alone, there were 8 health systems storing more than one million records that were attacked; the largest was Anthem where 78M individuals were affected. PwC’s 2016 survey on the global state of information security noted that 38% more healthcare security incidents were detected in 2015 than in 2014; and the average financial impact rose from $2.5M in 2014 to more than $6M in 2016. Further, the Identity Theft Resource Center reports that in 2016, healthcare data breaches accounted for over 35% of all information security incidents worldwide.
Why are cyber attacks in the healthcare industry happening now? It has been widely reported that medical records are worth at least ten-fold those of credit cards on the black market. Their value combined with increasing digitization in healthcare and the heretofore disinclination among healthcare leaders to adequately protect data have offered hackers ample incentive—and opportunity—to target this market.
Fewer than 20% of healthcare providers have a singly-appointed leader of information security and 25% do not operate an information security center. This despite the increase in incidents: In 2015, IBM reported that healthcare was the number one target for cyber attacks; and Accenture reported in The $300 Billion Attack that some 25 million people—one out of every 13 patients—will have financial or other personal data stolen from their healthcare providers over the next 5 years.
Experts indicate the attacks will continue, the costs per breach—now estimated at $200 per patient record—will increase, and digitization will continue expanding to mobile solutions, wearables and medical devices (which many believe are susceptible to terrorism). Accordingly, healthcare leaders can no longer afford to ignore the problem.
In fact, the data suggest that investment in healthcare cyber security offers a strong ROI: it’s been estimated that prevention costs, including those of staffing, risk assessment, security controls, monitoring and detection, forensics and insurance, run about $8 per patient record. Further, a path to enhanced data security is well defined as several cyber security frameworks, namely those of HITRUST, ISO 27001, and the National Institute of Standards and Technology (NIST) offer roadmaps for healthcare leaders. Also, improvements in authentication and identity management technology present further cost effective resources for leaders to combat breaches.
The business case and the technical wherewithal to improve the security of healthcare data are evident; however, getting this subject on the agenda at board meetings has not been easy. This is likely due to three challenges: first is the lack of a single internal owner within the organization. The second is that cyber security is typically perceived as a problem for internal IT organizations to solve; and third, information security (INFOSEC) professionals often do not present the business case and solutions in ways that boards and other business leaders fully comprehend.
Regardless, increases of cyber breaches across the healthcare industry clearly indicate that it is time for board-level involvement. When information security puts a company’s finances, operations, customer relationships, R&D and brand at risk, it becomes a fiduciary responsibility of the board and chief executive.
Boards of directors would do well to first receive their own cyber training, after which they will be better prepared to address INFOSEC in the contexts of risk and compliance, operational continuity, brand reputation and ultimately, profitability. They must then direct chief executives to create cyber risk management programs.
CEOs should prioritize information assets based on business risks, provide differentiated protection based on the importance of those assets and diligently deploy active defenses to uncover attacks before they breach. Further—as it has been made abundantly clear—because simply defending the digital perimeter is no longer sufficient, CEOs must foster a cybersecurity culture throughout their organizations.
The CEOs’ first step towards improving cybersecurity must be to hire a Chief Information Security Officer (CISO)—someone who is solely responsible for digital security. My executive search experience informs that this talent is scarce and in high demand; I have recruited healthcare CISOs from consulting and law firms, the government and the military, financial institutions, and even the gaming industry. There is not enough talent to meet demand (even though higher education institutions are graduating cyber experts at record pace). Therefore, selection criteria should emphasize leadership, the ability to foster teamwork, business acumen, risk management, political savvy and communication skills rather than years of experience. Most importantly, CISOs should report directly to the CEO with a dotted line to the CIO. This structure affords organizations important checks and balances while maintaining budget integrity.
There is no such a thing as completely secure systems, but organizations without a cyber-incident response plan have greater liability than those that do not. Further, simply drafting a plan is insufficient; it is necessary to integrate cyber security into all business processes. It is when organizations appoint a CISO to oversee the initiative that cybersecurity becomes a competitive differentiator and business enabler.
Dennis Chesley, PwC’s Global Risk consulting leader was recently quoted as saying-“Many executives are declaring cyber as the risk that will define our generation.” Whether security is breached by sophisticated cybercriminals, political “hackers”, nation states or even internal employees, this topic is not going away and healthcare executives must make measured tradeoffs between the benefits of a connected world and the risks of operational and reputational disruption.
Healthcare leaders currently allocate approximately 10% of their IT budgets to security; that number is closer to 20% or more in other verticals. Healthcare boards can no longer skimp on digital security in favor of improved financials. Doing so risks sacrificing HIPAA compliance, business operations, customer good will…and ultimately profitability.
Insufficient boardroom prioritization, the dearth of cyber security talent, minimal employee training, and insufficient planning are without question the top contributors to security risks as we turn the calendar to 2017. The winners in healthcare will be those that find the balance between innovation and security planning; they will be those who invest ahead of the problem and remain vigilant stewards of their own IT systems and their customers’ data.