11 Things the Health Care Sector Must Do to Improve Cybersecurity



No industry or sector is immune to hacking. That reality was made painfully clear in mid-May, when a cyberattacker using WannaCry ransomware crippled health care institutions and many other kinds of organizations around the world. In 2015 over 113 million Americans health records were exposed, and in 2016 the number was over 16 million, according to reports submitted to the U.S. Department of Health and Human Service’s Office for Civil Rights. At the beginning of 2017 Experian predicted that the health care sector would be the most heavily targeted vertical industry. A March 2017 report from the Identity Theft Resource Center indicated that more than 25% of all data breaches were related to health care. The estimated loss to the industry is $5.6 billion per year. These stats should be a wake-up call for the entire industry.


  • The Leading Edge of Health Care

    How the most innovative providers are creating value.

There are three reasons health care is the source of so much stolen data right now. First, health care data can be monetized. For instance, cybercriminals can use medical data to sell fake identities, construct synthetic identities, and enable someone to conduct medical identity theft. If that doesn’t work, they can use the stolen information for traditional identity theft, since medical information tends to include enough information to allow a criminal to open a credit card, bank account, or loan in the victim’s name. If neither of those works, cybercriminals can use ransomware to extort health care organizations to pay them money to regain access to compromised systems and data.

Second, health care organizations have been slow to adopt practices that have worked for other industries. Most health care portals, for example, don’t have strong multifactor authentication. Many medical personnel are unaware of the risks to data security (which is ironic given the strong emphasis on patient privacy). And health care organizations tend to have smaller security budgets and teams than financial services organizations.

Finally, as other industries have become more sophisticated in detecting and blocking cyberattacks, criminals have had to find new sources of data. Aside from the fact that health care institutions collectively hold information on the vast majority of the population, their IT systems also have links to financial services (e.g., flexible spending accounts with their own debit cards or health savings accounts that can have five-figure balances after two to three years).

Boards Neglect Cybersecurity at Their Companies’ Peril
The average breach costs around $4 million.
  • SAVE

Given that most transactions in the health care sector are conducted through vulnerable hardware and software, it’s critical for providers and payers to strengthen their cybersecurity. For an example of how to proceed, they can look to the financial services industry, where some of the most well-known examples of cyberattacks in the last decade have occurred. This turmoil led to huge operational shifts in the financial services sector, where there’s more focus than ever on consumer education, industry information sharing, and stronger forms of authentication, among other things.

Here are some specific recommendations, which are based on our collective expertise in care delivery, health systems, financial regulation, and risk management.

Update HIPAA. Like the PCI DSS rules for debit and credit card security, the HIPAA Security Rule and the HIPAA Privacy Rule are already well-known frameworks for defining how a health care organization should secure its people, systems, data, and equipment. These established methods of approaching health care security would merely need to be updated to cover new forms of cyberattacks and new tactics employed by cybercriminals.

Take stock of basic housekeeping. Care providers should apply strong encryption to all patient data and limit who has permission to access medical charts. In addition, organizations should monitor searches and downloads from their IT systems by tracking exfiltrated data such as large batch files of patient, research, financial, or other sensitive data.

Purchase insurance. Many financial services organizations have cyber insurance, and health care systems should get it, too. Since this is a relatively nascent kind of insurance, most leaders of health care organizations and boards of directors may not be aware that it exists. Significant open questions about it remain, including who should pay for such policies and whether it should protect the institution, the patient, or both. At the moment, the institutions themselves are paying, and this likely will not change in the foreseeable future.

Require training for personnel. Human error, including falling for phishing attacks,  is the leading cause of major security breaches today. Health care systems should regularly remind people of the importance of information security best practices through required training, strategic reminders, and other means.

Protect supply chains. Hospitals and health care systems have diversified supply chains and massive lists of vendors with whom they digitally interface. They are a tempting way for cybercriminals to gain access to health care organizations’ IT systems. Consequently, care providers must understand the many moving parts that are involved and protect their relationships and information exchanges with and among those groups. Third-party vendors can help assess such risks and recommend ways to minimize them.

Share industry best practices regarding cybersecurity. The FS-ISAC has made life easier and safer for the financial services sector by enabling peer financial institutions to share information rapidly and directly. Similar groups, such as the NH-ISAC, can serve as starting points for expanding similar types of discussions and planning.

Deploy strong authentication. Health care systems should use multifactor authentication or other types of consumer security that are already ubiquitous in the U.S. financial services arena. Most U.S. consumers are already familiar with this type of technology and won’t need to be significantly reeducated (a challenge the financial services sector had to deal with a decade ago)