Cyber attacks in the healthcare industry are on the rise, and protecting your hospital and its patients’ protected health information is vital to its survival. In this guest post, Parker Rains, VP of a middle market business insurance firm, offers best practices for a disaster recovery and continuity plan hospitals can use to prevent cyber attacks.
As today’s society becomes more reliant on technology, it also becomes more susceptible to cyber attacks. The United States experienced an all-time high of 1,093 data breaches in 2016, according to a report released by the Identity Theft Resource Center (ITRC). That’s a 40% increase from 2015.
The vast majority – 34.5% – of those breaches originated in the healthcare industry. In 2016, the industry experienced a record 377 breaches – 101 more than in 2015, according to ITRC. So it’s no surprise that 36% of consumers are worried their health information will end up in the wrong hands, per a recent report from cyber security vendor AnchorFree.
Medical data vs. credit card numbers
America’s healthcare industry is threatened by cyber attackers seeking to gain medical data, which is far more valuable than credit card numbers because it tends to contain details that can be used to access bank accounts or obtain prescriptions for controlled substances. Just look at the numbers: Medical data is sold at $60 per record, while credit card records are sold at $1-$3 each, according to NBC News.
Stealing medical data allows hackers to essentially “own” a person. They can use your medical records to pay for treatments or surgeries and even file false tax claims.
Financial data from stolen credit cards is less profitable to cyber attackers because it has a finite lifespan – when a breach is detected, the owner simply cancels the card or the account. Medical data, on the other hand, lasts for life, making it more valuable. Despite the vulnerability of this data, the healthcare industry is lagging in its security and encryption.
Costly healthcare breaches
Failing to take extensive measures to protect healthcare data is costly. Each stolen record costs a healthcare company on average $355, according to the Ponemon Institute’s 2016 Cost of a Data Breach study. According to the same study, an average breach to a healthcare company costs $4 million, a 29% increase since 2013.
These statistics continue to grow: 87% of lawyers from the American Health Lawyers Association agree that clients within the healthcare industry are at a greater risk of cyber attacks than in any other industry, according to Modern Healthcare. And 70% of businesses close within two years of a disaster, according to Continuity Central. It’s vital for the privacy of your patients and the success of your healthcare business that you establish a disaster recovery and continuity plan.
A disaster recovery and continuity plan protects your company from preventable cyber attacks and outlines how to react in case of a data breach. Further, it can reduce the amount of time it takes to identify breaches and the likelihood of experiencing a breach.
Follow these best practices when developing your plan:
- Define your key assets: To successfully defend your company from attack, you must first know what you’re protecting. What are the key assets that would bring a loss to your company and your patients if hacked? Gather your management team and discuss potential losses and means of mitigating these threats.
- Determine recovery solutions: After defining your company’s most important assets, the next step is to determine a means of recovery should your data be breached. For example, your continuity plan may include saving data to a backup disk, server or cloud storage – or perhaps a complete data replication to a secure offsite location.
- Assign roles and establish a communication plan: In the case of an emergency, it’s important to know who’s responsible for officially declaring a disaster and enacting a communication chain. The existence of a strong incident response team results in the greatest reduction in the per capita cost of a data breach, according to the Ponemon Institute study.
- Review your plan regularly: For your plan to perform as designed, it’s important that you review it with employees regularly so everyone understands what to do when faced with a data breach. Be sure to update the plan as new policies are added and personnel change.
In addition to a disaster recovery and continuity plan, you may want to consider cyber liability insurance. While the overall cost of data breach detection is increasing as cyber attacks become more sophisticated, cyber liability insurance helps lower these costs.
Parker Rains is VP of middle market business insurance firm Fisher Brown Bottrell Insurance, which is a wholly owned subsidiary of Trustmark National Bank, a publicly traded financial services company.