We have all heard of the cyber attacks on financial institutions and retail businesses. More and more we are hearing of the attacks in the healthcare industry. Attacks reported just this year have involved Premera Blue Cross effecting 11 million patients and Anthem involving 80 million records. These are just the high profile cases we hear about. According to Intel Security and the Atlantic Council about 44 percent of all registered data breaches in 2013 targeted medical companies, with the number of breaches increasing to 60 percent in 2014. The number may seem larger than expected, but the fact is that these reported medical-company breaches happen on smaller scales than the banks and retail businesses so they typically effect smaller numbers of people at a time and do not make the national news.
Another area of risk for the healthcare professional in addition to protecting the customer’s personal identifiable data is in the area of networked medical devices such as pacemakers, FitBit and stationary medical devices. The risk landscapes for networked medical devices from the Atlantic Council site the following four categories.
The first concern is accidental failures, which erode trust and could stop these promising technologies in their tracks. A second immediate concern is protecting patient privacy and the sensitive health data inside these devices. Intentional disruption is also a concern, because networked medical devices face the same technological vulnerabilities as any other networked technology. Even more dangerous than the potential for targeted killings—though also far less likely— is the threat of widespread disruption.
What should you as a medical professional do to help mitigate these risks?
- To be fully effective, you will need to bring in an expert. Advanced, persistent threats such as the ones that can occur in the healthcare industry require an ability to plan, design, and implement effective cyber security controls that can stay ahead of emerging threats and current technologies. Indeed, cyber security should not be randomly assigned to any employee. Instead, cyber security requires a higher level of education, training, and certification.
- Make sure your IT system has adequate security and enforcement susceptible to a cyber attack.
- Gain the technical and administrative knowledge necessary to combat advanced, persistent threats.
- Talk with your insurance broker on the cyber liability products best suited for your particular business.