Cyber security breach will no longer be just a matter of protecting medical records but will evolve to impact patient safety in five to ten years unless the healthcare industry implements internal controls similar to the financial services sector,
"Financial firms tend to have a higher level of due diligence when it comes to assessing and evaluating the security of their third parties," said Stephen Boyer, chief technology officer with and co-founder of BitSight.
Healthcare providers collect, store and share patient data as well as information that can be used to complete emergency room procedures, conduct lab work, CT scans and pharmacy services and Ransomware is a malicious software that can restrict access.
"Ransom ware can interrupt critical process so even if the personal health information is restored, the loss of the use of electronic data sharing or portable medical devices can result in a delay in treatment, care and even administering medication," said Damian Caracciolo, vice president and practice leader with CBIZ Management & Professional Risk in Columbia, Maryland.
Infections account for 88 percent of all detections in healthcare organizations during the second quarter of 2016, according to a Solutionary study.
"Healthcare organizations tend to let infections linger on their networks longer and are typically slower when it comes to patching known vulnerabilities," Boyer told the Huffington Post.
Ransomware is particularly troubling for healthcare organizations that are tasked with protecting protected health information, intellectual property and payment information.
“Healthcare has been a target for ransomware campaigns because the industry has often paid to retrieve vital customer data quickly," said Rob Kraus, director of research at Security Engineering Research Team, Solutionary.
Another reason healthcare facilities are more often targeted is because they lack the resources, IT processes, internal staffing and technologies employed by other industry classes, according to Caracciolo.
“Hacked information from a healthcare facility often includes not only protected health information but also personally identifiable information and credit information," said Caracciolo.
Health information can be used by crooks to commit multiple types of fraud or identity theft, which is why losses in the healthcare industry are so much larger than the overall average of all business sectors.
At 21%, the healthcare sector is the most frequently breached, according to a Net Diligence Cyber Claims study, and the average total claim for a breach was $1.3 million as compared to $673,767 across all industries.
“The C-Suite needs to include cyber security more in boardroom discussions and appoint an officer who is responsible for cyber security and compliance while providing the resources needed to maintain and improve internal controls," said Chris Roach, managing director and national IT practice leader with CBIZ Risk & Advisory Services in Houston, Texas.
Simple financial information can only generate minimal income for fraudsters however when coupled with personal health information or healthcare credentials, financial records can result in as much as $500 per theft.
"In some case, a person's health information can be used to secure healthcare for those who do not otherwise have access, which amounts to free healthcare," said Caracciolo. “Ransom ware is more of threat in the healthcare sector than in financial services because of the type of information that can be accessed.”
The healthcare industry, which maintains extensive repositories of information, can learn a lot about preventing cyber attacks from Wall Street firms where sophisticated means and measures have been developed.
“Wall Street is ahead of healthcare because it's been fighting the fight a lot longer and financial services firms have more reputational risk at stake than do healthcare providers when and if their records are breached," said Caracciolo.
According to healthcare IT experts, ensuring a healthcare business has a backup and recovery process is key along with up to date security software and ability to detect the most recent ransomware variants.
"As the threat continues to evolve, it will be crucial for organizations to have defined incident-response procedures and proper detective and preventive controls in place to reduce ransomware's impact,” Kraus said.
Like financial services firms, healthcare business must be diligent about user training, system patching, updating anti-virus software, shortening the time it takes to respond to incidents and tracking asset management.
“Even with the electronic health information exchanges, healthcare is still largely disjointed and non-integrated,” Roach told the Huffington Post.
Bare minimums include implementing a written security policy that addresses data breach preparedness, periodic risk assessment for changes in a company's privacy and security environment and the ability to work with forensic organizations in the event of an attack.
“Whether your firm stores patient health information or investor information, the internal control protocols should be consistent and similar," says Wayne Siebner, senior vice president with Assured SKCG.