As the world moves into an increasingly digital state, issues surrounding cybersecurity have grown exponentially as hackers and bad actors find new ways to infiltrate our networks and steal our most sensitive data. Over the last few years, hacking and IT security incidents have steadily risen, and many organizations — regardless of industry — are struggling to defend their network perimeter from cybercriminals looking for vulnerabilities.
One industry that has been heavily targeted is healthcare. Under HIPAA rules, hospitals, health insurance companies, clinics, nursing homes and pharmacies must comply with requirements to protect the privacy and security of health information, but breaches are still happening at an alarmingly rapid rate.
Every year since 2013, the healthcare industry has witnessed an increasing number of hacking incidents, and 2015 was especially troublesome as more patient and health plan member records were exposed or stolen that year than in the previous six years combined — and by a wide margin. In 2015 alone, more than 113 million records were compromised, nearly 79 million of which were stolen in the attack on the United States’ largest health insurance company, Anthem, resulting in the largest settlement ever for a data breach ($115 million). The infographic below (Clearwater Compliance, LLC) illustrates more statistics about the Anthem data breach and highlights that 94% of healthcare breaches are due to human error, an obvious area ripe for automation.
According to the 2017 Cost of a Data Breach Study, healthcare data breach costs are the highest among all industries for the seventh straight year. The annual study, conducted by Ponemon Institute and sponsored by IBM Security, also revealed that the average cost of a data breach in the U.S. has hit an all-time high of $7.35 million, a five percent increase compared to the year prior.
In the U.S. alone, the average cost for each lost or stolen record containing sensitive and confidential information, regardless of industry, is $225, but for the healthcare industry, that price tag leaps to $380 per record — more than 2.5 times the global average across industries. And with the number of healthcare hacking incidents on the rise every year since 2013, the financial impact of breaches in the healthcare industry is increasing as well.
Due to the additional information found in a medical record that isn’t readily available to hackers, health records offer more value to hackers than credit card records or Social Security numbers. In fact, some experts estimate the value of an individual stolen medical record to be at least $60, as elements of the data comprising the medical record (name, Social Security number, birthday) can’t easily be changed. Compounding this issue, the attack surface is growing as the proliferation of IoT devices in the healthcare industry ensures the presence of more connected medical devices than ever before.
Today, providers are required to adopt electronic health records, whether or not they are financially prepared to invest in cybersecurity. Consequently, many healthcare providers are turning to outdated or clunky software systems to store patient records, exposing themselves and their patients to hacking risks.
With hacking and IT security incidents on the rise — and more than a quarter of health care breaches in the first quarter of 2018 caused by such incidents — the importance of patching software and operating systems has never been more pronounced for health care organizations. In fact, arguably the most significant example of failure to apply security patches resulting in hospitals falling victim to cyber attacks came with last year’s WannaCry ransomware outbreak.
While no patient data was compromised as a result of the global cyberattack, a large number of National Health Service hospitals and surgeries in the U.K. were forced offline as systems became infected. Later analysis found that simple patching could have prevented WannaCry’s massive impact.
The traditionally time-consuming and burdensome practice of patching needs to be prioritized by security and IT departments at hospitals and health care organizations. Staying current with patches for operating systems and third-party applications is the only way companies can fully prevent attacks based on known vulnerabilities.
While many cybersecurity teams already dedicate a sizable portion of their staff to vulnerability response, more people does not equal better security if patching processes are broken. Organizations often struggle with patching because they use manual processes and can’t prioritize what needs to be patched immediately.
A few ways health care organizations can improve their security posture is by taking inventory of vulnerability response capabilities, defining and optimizing end-to-end vulnerability response processes and automating as much as possible. Today, the solution that address all of these improvements appears to be cloud-based patch automation.
Enter Automox. Our cloud-based agent and policy engine allows you to control your level of patch management automation, flow processes and configuration enforcement — all from a single dashboard. The lightweight agent can be installed for all of your Windows, Mac OS or Linux systems in mere minutes and automatically patches vulnerabilities based upon your configured policies.
Ultimately, hospitals and health care organizations can significantly reduce their chances of being breached by practicing basic security hygiene and patching vulnerabilities in a timely fashion. Try a free, 15-day, risk-free trial of Automox in your health care environment today. There’s no endpoint limit, no credit card required to sign up and your organization will receive full access to the complete platform.