Cybercrime

If you’re a provider of healthcare, then it’s likely that you’re not allocating enough leadership and resources toward protecting your company from cybercrime. Cybercrime against healthcare providers receives a fair amount of attention in the media and in industry circles. People are aware of the threat. They talk about it, and most even worry about it, but the actual threat posed by cybercrime far exceeds the effort and resources put forth to combat it in my opinion. This mismatch between the threat level and resources expended poses an enormous threat to our industry and the people who rely on it for their healthcare needs. There’s a strange stigma that surrounds getting hacked. If someone breaks into your car, you talk about it to everyone. If someone hacks into your systems, you don’t tell anyone. Ever. That’s probably because it’s unpleasant, complicated, and involves technology in a way that we don’t always readily understand. Many hacks aren’t required to be reported because they are settled with the payment of ransom. The silence that surrounds cybercrime means that most of us fail to recognize the enormity of the threat. I find that it’s helpful to sort healthcare cybercrimes into two buckets. First, and most commonly, there are hacks that expose patient records to bad guys and get reported as HIPAA breaches. The numbers of this type of breach have and will continue to rise. In fact, they’ve doubled in the past year alone. The second bucket of cybercrimes is filled with “successful” ransom incidents, whereby the victims have paid ransom to recover data or access to their own systems again. There are far more ransomware incidents in healthcare than reported HIPAA breaches. Unfortunately, since HIPAA violations require public reporting and the ransoms very often don’t, misconceptions are created. Ransom incidents are growing at an alarming rate. It is estimated that one quarter of all healthcare providers have paid a ransom to cybercriminals. Eleven billion dollars have been paid in ransom this year alone, and it isn’t even over yet. Just because ransomware attacks are out of sight doesn’t mean we can safely ignore this risk. Healthcare is the favorite target of cybercriminals because healthcare providers possess valuable information about patients (social security numbers, addresses, etc.), while at the same time being generally under-invested in protection against such crimes. Listen, folks: You’re not up against a nerdy kid living in their parents’ basement. You’re up against the military and intelligence arms of several large and powerful nations. Much of this cyberwar is being waged by foreign governments or government sponsored organizations against American businesses and consumers in an attempt to transfer American wealth overseas. This is not something to take lightly. The US government is doing precious little to protect us, leaving the responsibility for defending ourselves up to you and I. I am sounding the alarm bell here and now: It is highly likely that you are not devoting enough resources to protect yourself against cybercrime. I’m not a cybersecurity expert, so I’m not here to tell you all the technical answers to this problem, but I will offer some of the lessons I’ve learned as a leader in a healthcare organization.

1. Addressing this problem is a journey, not a destination. We all want a silver bullet. We want a simple answer, be it a software or service, that we can buy, set, and forget to protect ourselves. That is not the way this stuff works. You will actually need to buy several dozen products and take ongoing action to move toward adequate security, and the things you need will evolve over time.
2. It will be costly to protect your organization. You must find a way to re-allocate financial resources, creating a robust budget for strengthening your cybersecurity defenses.
3. Your employees and their behaviors are your biggest cyber threat. You heard me. Your employees, no matter how well intentioned, are likely to be the weakest link in your defenses. Hackers don’t just manipulate systems. They manipulate people. A human-centric cyber protection plan is an absolute necessity.
4. If you are a leader, you are probably exacerbating the cyber threat. Establishing a culture that values cybersecurity comes from the top. Set the tone. Lead by example. This Achilles heel will most likely manifest itself when people in the organization are asked by your IT department to change a behavior or practice. Examples might include using two factor authentication or locking out external drives and devices. People often resist these changes because they’re inconvenient, and if you fail to stand strong for making the right security moves, your organization will be exposed.
5. Take a long term view. Payers are increasingly vigilant when it comes to cyber protection, and that will be flow down to you as a provider. If you don’t put the right security in place, you’ll soon find that you won’t be able to do business directly with many payers or referral sources.
6. Listen to the people who know. Chances are your IT people know and have told you some things that need to be done differently. Do yourself a favor and listen to them.