Five Most Dangerous Trends in Cybersecurity that Affect Healthcare.

Cybersecurity has become even more important in the last two years, as many healthcare providers and organizations were forced to adopt new ways to provide their services due to the COVID-19 pandemic. Many employees had to stay home and remote working is rapidly becoming a new norm. More than ever, it is critical that healthcare providers and organizations understand how to protect their assets and grow in cyberspace. I wish to discuss the 5 most dangerous trends in cyber security in healthcare and provide some insight into how organizations can protect their assets and grow in a new environment. 

The intent of this article is not to scare, but to inform. My team and I strive not only to quantify the cyber risks or “omens” that modern enterprises face in today’s interconnected world, but we also bring our unique knowledge, skill sets, and approach to help healthcare organizations to protect their assets, stay secure, and more importantly grow. 

Needless to say that key to a successful cyber security strategy is to plan in advance and make the right decisions upfront. I am sure that readers will agree with me that healthcare organizations continue to face a multitude of challenges with regard to information security and privacy. 

1. HEALTHCARE ORGANIZATION IS PRIME TARGET OF HACKERS.

Cyber-attackers like to attack the healthcare sector due to the value of their data. The healthcare sector is prone to paying the ransom because the disruption, lost productivity, and damage to the data can be more expensive than preventing the loss by paying the ransom. It is estimated that 23% of healthcare organizations paid some form of payment to the attackers last year. The ransomware attacks on healthcare sectors increased 400% in 2020. Almost 90% of healthcare organizations in the U.S. experienced a data breach in the past two years. Network penetration testing shows that hackers can easily access most healthcare applications. It is estimated that the loss of data and related failures will cost healthcare companies nearly $6 trillion in damages in the next three years. Given these trends, it is conceivable that organizations that handle healthcare data and fail to update their systems may face grave consequences in the future. 

2. HEALTHCARE ORGANIZATION IS PRIME TARGET OF GOVERNMENT AGENCIES. 

Healthcare providers face increased enforcement of the HIPAA Security Rule through the Office of Civil Rights. Specifically, there is increased scrutiny whether healthcare providers apply ‘reasonable and appropriate’ safeguards and provide ‘adequate’ protection of sensitive information to demonstrate compliance with a growing number of continuously evolving federal, state, and industry requirements. 

Moreover, the HIPAA Final Omnibus Rule requires that all healthcare business associates are now directly liable for the failure to comply with all the HIPAA requirements. It means that healthcare organizations’ responsibilities have been extended beyond their organization. As most business organizations are forced to adopt new ways of communication, healthcare organizations and providers must look into cybersecurity issues of a wide range of business partners and other third parties (aka. business associates) with different capabilities, requirements, and risk profiles.

3. INDIVIDUAL LIABILITY FOR DIRECTORS AND OFFICERS IS BECOMING A MATTER OF REGULATION.

Federal, state, and international regulators are increasingly expecting senior-level accountability for cybersecurity. We see increased regulatory enforcement actions that often lead to civil litigation by state attorneys general and consumers under state consumer protection laws or state data security statutes. These actions may have potentially dire, personal consequences for the directors and officers who pay insufficient attention to cybersecurity. 

We see an upward trend in a number of cybersecurity-related lawsuits that have been filed against the board of directors of corporations that have suffered data breaches. Most of these lawsuits claim that the board has failed to take reasonable steps to maintain customers’ personal and financial information. Members of senior management have been forced to resign,  [Danielle Douglas, Target CEO resigns after a massive data breach, in 2014), others have had their bonuses cut (Marissa Mayer, Yahoo, CEO, loses bonus and stock award over the security breach in 2017) , and others have found themselves hauled before Congress. (Target executive apologizes to Congress for a data breach, 2014).

4. DIRECTORS AND OFFICERS MAY FACE CRIMINAL LIABILITY AND JAIL TIME.

As attackers have moved more towards extortion, disruption, or even destruction, not just data theft, the basis for personal liability can extend beyond traditional corporate claims. 

For example, choosing to pay a ransom without thinking through the consequences could open up directors and officers to criminal liability for providing material support to terrorism under the Foreign Corrupt Practices Act and other laws.  

To add insult to the injury, the government’s classification of ransomware cyber-attack as an act of terrorism will likely lead to denial of insurance claims by the insurance carriers as terrorist attacks and related damages are usually excluded and not covered under insurance policies. 

5. WITHOUT CYBER-RISK INSIGHT DECISION-MAKERS ARE FACING AN IMPOSSIBLE TASK. 

Most legal requirements are general, lacking specific definitions or specifically prescribing what organizations need to accomplish. Given the lack of specificity, healthcare organizations are left in dark, only guessing when they have to decide what actions would be considered ‘reasonable and appropriate and what level of protection would be ‘adequate’ in the eyes of federal, state, and industry regulators, business partners, patients, and their families, and other interested third-parties. 

Consequently, the organizations often found it difficult to justify the cost associated with the implementation of security measures. It is challenging to quantify the return on investment for any new investment even when cost and returns can be calculated. Without the specific data, this is an impossible task. It is not surprising to see that most healthcare organizations chose to justify security investment on fear, uncertainty, and doubts.

However, there is a better way to manage cyber risk as we will discuss in the article “How can an organization determine ‘reasonable and appropriate’ safeguards to provide ‘adequate protection of sensitive information?”