How Bad Can It Really Be?
Saying that phishing is a big problem is an
understatement. In a recent survey by Healthcare
IT News and HIMMS Analytics, over 50% of the
responding hospitals reported some sort of
ransomware attack (Sullivan, 2016).
Hospitals are extremely vulnerable because they don’t
have the luxury of time when negotiating with phishers.
They simply must have access to their data in order to
continue to provide care to their patients. Further
complicating the issue for hospitals is somewhat higher
employee turnover rates, which makes it more difficult
to maintain a vigilant and well-trained workforce.
It’s Expensive, Too!
The cost of a breach is high. Last year, the Department
of Health and Human Services (HHS) collected over
$20 million in fines from 15 different enforcement
actions. This represented a new record for HIPAA
enforcement. In addition, fines have increased from
$85,000.00 to $2,000,000.00. The Ponemon Institute,
a well-respected industry group, puts the total cost
of a breach at about $4 million.
However, a healthcare organization may pay in
more ways than one when they experience a breach.
Conrad points to some other consequences which
have a price tag that is more difficult to quantify than
a fine or a lawsuit:
• Reputation – when the breach becomes public, the
community, employees, and physicians may lose
confidence in the organization.
• Regulatory issues – regulators will want to know
how the organization is trying to protect itself and
whether or not the organization was following its
own protocols at the time of the breach.
What Makes Us Vulnerable?
When asked about employee readiness to defend
against a breach, Conrad points to the results of a
recent MediaPro survey that showed just 28% of
healthcare employees demonstrated the privacy and
security awareness necessary to prevent incidents that
could lead to a breach. Of the 850 healthcare
employees surveyed, the majority (72%) were rated a
“security risk” or “novice” based on their survey
responses, demonstrating a clear need for better
training (Schwartz, 2017).
Conrad believes that the most susceptible organizations
are the ones that fail to direct their focus and resources
to where their organizations are really the most
vulnerable—their people. Conrad says, “The hardware
and software technology is great and is very effective,
but now we need to focus on the human element and
ensure that we are educating employees to properly
protect data and reduce risk.” In healthcare, the biggest
payout is by blocking access to data—in other words
ransomware. Conrad says, “If a bad actor can lock
down their files, they’re going to pay up and they’re
going to pay up fast.”
Conrad cites several reasons healthcare is particularly
vulnerable to cyberattacks. For one thing, healthcare
simply doesn’t have the resources to protect themselves
like other industries. Additionally, there is a relatively high
employee turnover rate in healthcare, making training
more complicated. It’s also an industry with a lot of very
time-sensitive and critical data that is spread across
multiple locations, ranging from the inpatient setting to
ancillary locations and physician offices.
Physicians and their office staff are key targets for
ransomware and phishing attacks. Conrad explains,
“They work in a fast-paced environment that values
patient satisfaction. Because of this, they may look to
respond quickly to a phishing email attempt and miss
the warning signs. A hasty decision, made with good
intentions, can easily lead to very severe consequences.”
Best Practices in Defense of Breach
Given the vulnerabilities described in some of the
research, what is the best way to ensure that employees
remain vigilant and smart about how to spot fraudulent
emails? Some healthcare organizations have established
Bitcoin accounts in the event that they are the victim of a
ransomware threat, but is that the best available option?
Conrad recommends monthly mock phishing
supported by employee training to best address the
vulnerability created by employees. “An organization’s
IT department may understand and be able to respond
to the technology issues, but be less prepared to deal
with the human problems.”
HealthStream.com/contact • 800.521.0574 •
7