Health care is among the most breached industries, but according to a report by Merlin International and Ponemon Institute, the sector isn’t doing enough to prevent incidents.
The 2018 Impact of Cyber Insecurity on Healthcare Organizations study found that 52% of respondents said their organizations don’t receive enough staff awareness training, 74% said they didn’t have enough qualified staff, and 56% said their organization’s cybersecurity budget was insufficient.
The lack of investment into cybersecurity led to a record number of data breaches in the health care sector in 2017. Two thirds of respondents said they experienced an attack in the past 12 months, and more than half of them lost patient data.
How are these breaches happening?
When you hear about data breaches, the idea of cyber attacks might spring to mind. Although external attacks are a significant part of the problem, respondents are more concerned about the threat of insiders (63% versus 64%).
Insiders are prone to accidentally disclose information. For example, they might lose a patient’s records or send information to the wrong person. Insiders might also misappropriate information for malicious purposes, often because they plan to use it to commit fraud or sell it to other criminals via the dark web.
The report says that the most targeted information is:
- Patient medical records: 77%
- Patient billing information: 56%
- Login credentials: 54%
- Passwords and other authentication credentials to systems, servers, or applications: 49%
- Clinical trial and other research information: 45%
Commenting on the report, Merlin International’s director of health care strategy, Brian Wells, said: “In an increasingly connected, digitally centric world, hackers have more opportunities and incentive than ever to target healthcare data, and the problem will only increase in scope over time.
“Healthcare organizations must get even more serious about cybersecurity to protect themselves and their patients from losing access to or control of the proprietary and personal information and systems the industry depends on to provide essential care.”
Reducing the number of data breaches
Organizations should already be aware that staff awareness training will mitigate the risk of data breaches, but as the report shows, cybersecurity departments are underfunded. Senior staff would probably argue that there simply isn’t enough money to provide sufficient training to everybody in the organization. However, staff awareness training is not only an essential part of cybersecurity but it also doesn’t have to cost a fortune.
Our Information Security Staff Awareness E-learning Course helps employees gain a better understanding of information security risks and compliance requirements, thereby reducing the risk of data breaches. It uses clear, non-technical language, making it ideal for those without experience of the subject.
The course is most effective during employee induction and then repeated annually.