In a recent KPMG survey of 223 healthcare executives, a full 80 percent stated that their information technology had been compromised by cyber attacks.
Let’s think about this for two seconds… 80 percent!!! Possibly, a portion of the remaining 20 percent had not yet known that they were a part of the 80 percent. After all, how many clients have you taken on only to find that their network was being compromised or had been compromised?
In healthcare especially, the question is not if providers will experience a breach or cyber attack, but rather when. How will they respond, and what will the fallout be?
There are few markets that are in as dire need of qualified, compliant Managed Service Providers than healthcare.
Why are So Many of These Cyber Attacks Successful?
The healthcare community has been dragged, nearly kicking and screaming into the digital age. Well, not so much dragged as incentivised, but there’s been plenty of kicking and screaming. Now more healthcare information is digital and with that, comes the need for digital security and safeguards.
Many providers are using outdated or insufficient EMR (electronic medical records) software. Many software vendors have products that are not adequate for today’s networked and connected environments. So proper security of these systems is left to each provider. In most cases, security is either very basic or non-existent.
Another issue is how easy it is to distribute ePHI (electronic protected health information). With old paper records, it would be nearly impossible for someone to steal a large amount of records from a provider’s office. However, in the digital world, you can pack an entire office of medical records on nearly any modern USB drive, laptop, smartphone, tablet, etc. In addition, the ability to compromise networks and steal data is very real and not that difficult in smaller, independent provider offices.
The Internet of Things is quickly becoming an even greater problem. More and more “things” are connected than ever before. Copiers, medical devices, watches and more are all connected, and many times within the same environment with no access limitations between devices. This means that someone could hack a respirator pump, and then gain access to a server.
The evolving threat landscape is driven by big payoffs for health records. Threats today are much more sophisticated and rapidly changing. Even a small office breach could bring in tens of thousands of dollars on the black market or the Dark Web. These small, independent providers are low hanging fruit for hackers. In some cases, they are fruit on the ground just waiting for anyone to grab.
Top Cyber Security Threats
Among those surveyed, 65 percent indicated that external hackers were their greatest vulnerability, followed by sharing data with third parties at 48 percent.
When asked what their top information security concerns were, 67 percent said it was malware infecting their systems, and 57 percent cited HIPAA violations.
What this shows Managed Service Providers is where their clients’ potential concerns are. It also provides proof that the healthcare market needs quality, HIPAA compliant Managed Service Providers. As IT solutions providers,Managed Service Providers are qualified to address nearly all of the vulnerabilities and concerns addressed in the study.
Let’s take a brief look at the concern they have about violating HIPAA. Did you know that if a medical provider hires an Managed Service Providers that is not HIPAA compliant themselves, they are violating HIPAA?
That’s right, Managed Service Providers that fully support these healthcare clients MUST also be HIPAA compliant. Don’t let someone tell you that all you have to do is use encryption, follow security best practices and sign a BAA (business associate agreement). There is a lot more to HIPAA compliance than that.
Why would you even want to support a client when you don’t understand, care about or abide by their requirements? That’s bad business! If you are giving HIPAA lip service and not taking it very seriously, it could come back to bite you…hard!
Healthcare Attacks and Breaches on the Rise
There is plenty of proof that hackers are able to make much more money by stealing healthcare records (versus other data) and selling them. This makes healthcare clients very vulnerable to attacks and breaches.
The financial sector is still the most attacked, but it has spent 20 years focusing on cyber security and protection. Healthcare has relatively ignored these threats until recently. This lack of attention paid to cyber security and protection has put a strain on the healthcare industry, especially for small providers.
Many providers don’t have the necessary security in place to even know when they are being attacked. One KPMG client reported a 1000 percent increase in security incidents to their enterprise once they implemented an effective Security Operations Center (SOC) to intercept, interpret and report on threats.
I’ve seen this with our clients as well. In many cases, we put in a Unified Threat Management device accompanied with our remote monitoring and management (RMM) agent, and find out the amount of attacks to a client is in the hundreds or even thousands per day. Healthcare organizations are not well prepared to handle the threats they face.
For HIPAA compliant Managed Service Providers, the opportunities in healthcare are massive. However, entering the healthcare vertical is no small undertaking. To take on HIPAA, you have to become and remain compliant, learn and stay highly educated and implement continual staff training, to name a few responsibilities. Still, the ROI is certainly worth the investment when done right.
For healthcare organizations, they must incorporate cyber security in their environments and develop a strategic plan to defend their networks and ultimately their patient’s data.
Managed Service Providers can help these healthcare organizations further by helping them coordinate a cyber security action plan and staying actively involved in its enforcement. Providing ongoing awareness and training through multiple formats, like webinars, is also a great service to provide.
Call us now if you think your office is in need of a security audit and see what other ways we can help your business be HIPAA compliant
The following article was written by J. David Sims of HIPAAforMSPs.com