by John W. Mitchell
, Senior Correspondent | March 03, 2017
According to information presented at HIMSS last week, nearly six billion private records have been lost globally to data breaches since 2013. Health care accounted for 27 percent of such losses, more than any other industry.
In 2016, the health care industry averaged about four data breaches a week, according to records from the Department of Health and Human Resources. Although ransom malware attacks only account for a little less than half of the breaches, they wound up costing $1 billion in 2016.
"Hospitals still rely on real-time information from patient records to provide critical care," Christopher Strand, senior director, compliance at Carbon Black told HCB News. "As a result, they will typically pay the demand rather than risk disruption or delay of care. This makes them easy targets for a successful ransom attack."
Strand said both ransomware and non-ransomware data attacks occur because health care leaders are often focused on the wrong parameters. His observation is supported by a 2016 study, titled "Securing Hospitals". The study was conducted on 12 health care facilities, two health care data facilities, two active medical devices from one manufacturer, two web applications, and other related platforms.
The study concluded that "the industry focuses almost exclusively on the protection of patient health records, and rarely addresses threats to, or protection of, patient health from a cyber threat perspective."
"Leaders may continue to fail to understand the threat, and what controls to focus on to address that threat," said Strand. " As I have seen for many years within IT security audits, when deciding on priorities and infrastructure to address, executives and administrators will drift toward the areas within their business that are governed by some type of mandate."
He explained that the focus tends to be on legislated policy rather than on the protection of patient information. This involves security audits, which can be the first failure in protection if done incorrectly and serve as a distraction from building a true threat prevention model. Too often, Strand stressed, many working within the health care industry may be unaware of how to measure risk to their critical data.