80 per cent of healthcare organizations say they haven’t completed a cybersecurity drill with an incident response process (Getty Images)
Every industry and all organizations are vulnerable to breaches and hacks.
Healthcare companies, however, are four times more likely to be targeted than any other industry. Patient data, rich with personal health and financial information, is highly lucrative to a hacker. According to Becker’s Hospital Review, the patient’s medical information can be worth between 10 and 40 times more than a credit card number on the black market.
There is no immunity or vaccine to prevent a breach, hack or ransomware attack; you must think of a cyber break-in in terms of when it might happen versus if it happens.
In the event of a breach or ransomware attack, all eyes (internal and external) are on the senior leadership of the organization and most often the CEO, not on the company’s IT department. Eighty per cent of healthcare organizations said they have not completed a cybersecurity drill with an incident response process, despite rising cases of data breaches, according to Becker’s Hospital Review.
Cyber breaches impact every operational aspect of the organization from financial to R&D to customer service and more. The trickle-down organizational effect commands a top-down approach to threat identification, risk quantification and appropriate response. Every member of the organization’s executive team should be involved and contributing to the risk quantification analysis. The omission of the C-Suite in this process makes the organization that much more susceptible to financial and brand equity damage and, more importantly, causes a loss of trust.
Some organizations still mistakenly expect the IT department to develop a risk strategy. But this approach is wrong. Certainly, IT is a key resource and tool in the threat assessment, prevention and response processes. But an organization’s risk assessment and response strategy must be led from the top and include all C-Suite leaders: human resources, legal, marketing/communications, investor relations and others.
QUALITATIVE AND QUANTITATIVE RISK ASSESSMENTS
Every organization, large or small, should have a cyber vulnerability assessment and response plan built to create and understand the quantitative and qualitative risk factors before, during and after an incident.
The quantitative assessment aims to understand the potential financial impacts of a breach and the organization’s ability to digest the costs (a healthcare data breach costs the most of any industry at US$429 per each lost record, per the HIPAA Journal). Can an organization stomach paying a ransom if it feels it has no other choice? What is the projected cost for a breach incident, including costs for employee overtime, third-party response teams, legal counsel, and providing services and compensation to customers and other stakeholders who were compromised? Does the organization have the funds, insurance, master plan, and support to rapidly handle an incident and pay the costs? An organization must plan for this financial emergency in the same way it would for a natural disaster.
The qualitative factors focus on the brand itself. In the world of healthcare data, a patient’s information is the most protected asset. In the event of a cyberattack, how much will it cost to retain the trust of patients? These are the types of questions leaders should know the answers to.
A proper response plan doesn’t just take place in the moment. At least 39 per cent of healthcare organizations became aware of a breach only months after it happened. It’s why a cyber vulnerability strategy must include an action plan that not only features a technical digital forensic approach but also—and more importantly—clear and transparent communications with patients, customers and partners as to the situation and efforts to mitigate the consequences of the attack. Mishandling a security breach response can cause long-lasting damage.
At the C-Suite level, holistic risk assessments are essential. To begin, how much of the organizational budget is dedicated to cybersecurity? Healthcare organizations dedicate only six per cent or less of IT budgets to cybersecurity and, according to a Healthcare Information and Management Systems survey, that figure hasn’t changed since 2018. To be clear, simply throwing more money at a cyber-breach problem without understanding of the organizational risk is not going to solve the problem. In the world of sports, it is often said that the best defense is a great offence and this holds true in cyber preparedness.
A thorough understanding of internal vulnerabilities is critical in preventing data leaks and other breaches. After all, more than half of a patient’s health information leaked is found to be the result of internal negligence. Organizations that undergo internal auditing and threat analysis can better protect themselves by assessing potential data residing on an unprotected cloud, enacting policies related to access and distribution of client data, and employee training for password security.
An organization will be judged by its response, good or bad. And, given that both future revenues and brand reputation lay in the balance, there is a lot at stake. Put it this way: If your organization’s cyber breach were to be covered by the media—what story would you want them to tell? The development of a solid cyber-vulnerability strategy and response plan is an opportunity to demonstrate the organization’s ability to anticipate and respond. These proactive defensive measures don’t just help protect your business but will serve and retain clients as well. In the long run, having a plan will pay off for everyone.
CPA Canada has a wealth of cybersecurity resources and tools for every level. And for directors, here are questions to ask and insights into the latest cybersecurity and privacy themes to be aware of.