This year’s survey from the Healthcare Information and Management Systems Society (HIMSS)1 offers more sobering news on privacy threats. In it, two-thirds of health care organizations said their organizations had recently experienced a “significant security incident.” The impacts of those incidents were as follows:
- 62% resulted in a limited disruption of IT systems with limited impact on clinical care and IT operations.
- 21% resulted in a loss of patient, financial, or organizational data.
- 8% experienced a significant disruption of IT systems, while another 8% had damaged IT systems.
Despite the fact that respondents reported using, on average, 11 different technologies to secure their environments, the majority felt only an average level of confidence in their ability to protect their IT infrastructure and data!
One reason might be that 42% of those surveyed believe there are simply far too many emerging and new threats to track, while 64% believe they have insufficient cybersecurity personnel to adequately mitigate risks.
It’s no surprise then that 87% of respondents said cybersecurity has become an increased business priority. And it ought to be, since it has become a persistent business risk, especially for small to midsized health care organizations. As health care increasingly becomes a preferred target for criminals (see Medical Identity Theft Is on the Rise—and Going Higher), the criminals are seeking out smaller health care organizations operating with less mature security programs and therefore struggling to safeguard information.
Clearly, smaller organizations must be especially vigilant amid this growing threat landscape.
From Threats to Improvements
Smaller health care organizations have limited resources, but that should never hinder due diligence. A few best practices can proactively address the very real threat that your organization could be the next cybercrime target. Here are some of the must-do actions:
- Identify all of the various assets cyber criminals would want to steal, from PHI to intellectual property.
- Establish policies and procedures that control access to all those assets, especially PHI, but also physical access.
- Use, maintain, and update strong security tools including firewalls, antivirus software, patches, and password protection.
- Ensure any device that connects to the network or can be accessed remotely is secure; that means everything from medical devices to photocopiers.
- Conduct regular security risk assessments.
- Create a cybersecurity investigation and incident response plan, and then test it.
Make Cybersecurity a Business Priority
Smaller health care organizations can learn a lot from their larger counterparts and even take lessons from other industries like financial institutions and retailers that have made cybersecurity a key business priority. The risks are real, the threats are high, and the responsibility to act is an imperative, no matter your size.
Wipfli understands the health care industry and offers cybersecurity expertise to help protect your assets. We tailor our cybersecurity services to help small and midsized health care organizations, providing you with assistance and assurance without your having to add in-house resources.
12015 HIMSS Cybersecurity Survey