Oct 30, 2017
Demystifying CFO’s Role In Cybersecurity
With a healthcare industry that is constantly growing at a rapid pace and an ever increasing, exponential reliance on technology, ‘Security’ has invariably become a major concern; especially given the recent, massive malware attacks that tore through more than 150 countries and affected millions. This attack included the top transcription vendor in the U.S. healthcare industry. KPMG International[1]concluded in their survey that, 80% of healthcare providers and payers have had their IT compromised by cyber-attacks. All this depicts significant vulnerabilities that exist within the intersection of technology and medicine.
So what is a Cyber ‘Ransomware’ Attack?
Typically, ransomware is a malicious software that adversely effects your technology systems in certain ways such as: (1.) Your files on those systems are encrypted, or converted into a different language for which only the hacker has the cipher, or the ability to unlock your data. (2.) The ransomware locks you out of your entire system and demands a ransom to give you back access to your data.
Impact of Cyber Attacks
The 2017 IBM and Ponemon Institute[2] study reveals: the average total cost of data breaches for healthcare organizations is a whopping $7.35 million. These attacks cause serious complications that result in delayed treatment, potentially leading to poor quality care. The reality is that cybersecurity attacks on you organization can result in negative cash flow and even loss of life, damaging bottom lines and the reputation of a hospital. Adding to this agony is the regulatory compliance breach. For instance, the average HIPAA settlement fine is approximately $1.1 million and this figure is only increasing as HHS becomes more aggressive in enforcing HIPAA regulations[3].
Data breach events have legal consequences, impact a healthcare organization’s brand image and are causing share prices to fall an average of 6%. This also resulted in 65% of customers losing trust and 31% consumers discontinuing their relationship with an organization, as uncovered by the Ponemon Institute[4].
Cybersecurity 101 — Your Plan
Every hospital’s CFO must maintain a bird’s eye view of the threat landscape which would help allocate funds & resources to those sectors most vulnerable to an attack. Thus, CFOs are exceptionally important to an organization’s cyber defense strategy.
Here are key points that CFO’s must make a priority:
● Develop a Cybersecurity Mindset Throughout The Organization:
In collaboration with the CIO, develop procedures & processes which create continuous education, awareness, and training across an organization. It takes only one unaware employee to open an attachment with a malicious virus that crippled the entire system. Organizations need a dedicated Sec-Op team to handle security, hunt threats, educate staff on latest threats and perform penetration tests.
● Identify, Prioritize and Safeguard Crucial Data:
Identify the data that is absolutely necessary and cannot be compromised. This will help you allocate appropriate funding to deploy better protective mechanisms around your data/devices.
An effective plan addresses not only access to medical and billing records, but contingencies for email, departments reliant upon the network and departments with high-tech equipment like, lab, pharmacy or imaging services.
● Invest in Risk Based Cybersecurity Framework:
Frequently implemented frameworks developed with standards such as ISO 27001 and US National Institute of Standards and Technology (NIST). These frameworks help hospitals better identify, prioritize, mitigate and communicate risks internally and externally. They further help design, monitor and measure goals towards improved cybersecurity programs.
● Harness The Dynamism of Cloud-based Cybersecurity:
Cloud-based software leverages advanced technologies for data security, network protection and identity & access management. Cloud computing includes a range of services such as advanced authentication, penetration and vulnerability testing, real time threat monitoring, network behavior analysis as well as security alert analysis. This leads to top notch security, virtually zero downtime, faster data recovery mechanisms, easy scalability of applications as well as 100% availability of data.
● Invest in Cybersecurity Insurance:
Cyber adversaries find sophisticated ways to circumvent security safeguards. Buying cybersecurity insurance that covers denial of service attacks, data destruction, fraud and extortion and mitigates financial impact. Other key areas of coverage include crisis management, data restoration and business interruption.
Cyber-Security Checklist — A Must
● Evaluate Incident Detection & Monitoring Mechanisms:
Keep a list of contact information of key players from your network and internet service providers. Have a holistic network map that can help you conduct what/if analysis and can serve as a visual tool during diagnosis of a threat. Risk assessments help identify what really needs to be protected, and how to get the best bang for the buck for your security budget.
● Review Your Data Breach Response Plan:
Keep your primary focus on what you would do in an event of a crucial data breach. Leverage your network security partners to compose a threat-based series of responses that are current industry best-practices.
● Collect and Analyze Security Risks Reports On Periodic Basis:
Based on specific risk indicators, detailed reports should provide privacy and security risks, vulnerable spots and the steps needed to mitigate those vulnerabilities.
● Evaluate Current Technology:
Make sure that your systems are updated & upgraded on regular basis and are monitored in real time. Avoid dependence on legacy data centers that are prone to security loopholes, as well as corruptions, outages and failures.
● Monitor Your Software Vendor’s Capabilities:
Network with your CIO & CISO to evaluate, validate and mitigate security concerns after understanding vendor data, encryption methods, disaster recovery procedure, third party accreditations along with the security checks for the person who has access to data.
Research by Identity Theft Resource Center[5] shows that in 2017, the U.S. healthcare industry is leading among the number of records compromised (57% of total records). The sheer frequency of these attacks, along with evolution of more complex attacks and a lack of sufficient security protection, should encourage hospital’s CFO to embrace what your organization is doing to manage cybersecurity effectively. Partnering with the right organizations can assure the success of your cybersecurity strategy: for resources, expertise, experience and capabilities.
Sources:
1.https://assets.kpmg.com/content/dam/kpmg/pdf/2015/09/cyber-health-care-survey-kpmg-2015.pdf
4.https://www.centrify.com/media/4737054/ponemon_data_breach_impact_study.pdf
5.http://247wallst.com/technology-3/2017/03/15/more-than-300-data-breaches-to-date-in-2017/
About ezDI
Headquartered in Louisville, Kentucky, ezDI, Inc. focuses on developing healthcare IT solutions that leverage cutting-edge technologies including Natural Language Processing (NLP), Machine Learning, Semantic Web, and High Performance Cloud Computing. The goal is to put operational data in the hands of healthcare professionals to help them proactively identify patients at risk, patterns in disease and treatment outcomes. ezDI builds intuitive healthcare IT solutions spanning Clinical Documentation Improvement (CDI), Computer-assisted Coding (CAC), Medical Transcription, Analytics, and more. ezDI has been named as one of the top 100 highly innovative companies at TiECon 2014 and ranked #1 in the Semantic Evaluation of Clinical Data (SemEval) competition for the year 2015.
