Myth busted: A wait-and-see approach to cybersecurity is a terrible idea

While the costs tied to protection can be daunting, especially for small organizations, the costs only increase after an attack.
By Jessica Davis
09:25 AM
Share
wait and see approach to cybersecurity

It should come as no shock that hackers have spent the last two years pummeling the healthcare industry with cyberattacks. In 2017, the healthcare sector has already reported 233 breaches and is on pace to exceed last year’s rate of one healthcare breach per day.

For healthcare organizations that are already struggling with staffing shortages and tight budgets, there’s just too much to be done. And so they often undertake minimum requirements to reach HIPAA compliance and wait for an incident to react.

[See them all: 10 stubborn cybersecurity myths, busted]

“It’s true: There’s a lot to do and it seems like the threat is too great,” said CynergisTek CEO Mac McMillan. “But the fact of the matter is: You can’t let that deter you from using common sense and getting ready. Healthcare providers of all sizes are at risk. And waiting isn’t an option.”

There’s one simple reason not to wait: “It costs far more to recover from a breach than what an organization would have paid for protection,” said McMillan.

"Healthcare providers of all sizes are at risk. And waiting isn’t an option."

Mac McMillan, CynergisTek

In this year alone, there have been many cases demonstrating the true cost of a breach.

In January, Puerto Rico-based MAPFRE Life Insurance was fined $2.2 million by the U.S. Department of Health and Human Services’ Office for Civil Rights for HIPAA noncompliance. The settlement stemmed from a theft of a USB drive containing the protected health information of 2,209 members that was stolen from the IT department in 2011.

OCR found MAPFRE didn’t have necessary safeguards in place to prevent theft of ePHI. Further, OCR said the insurance company lacked urgency in data protection. MAPFRE not only failed to conduct risk analysis and implement risk management plans -- it also failed to encrypt data or an equivalent measure until three years after the initial breach.

Even if your organization avoids an audit or OCR settlement, there’s still the cost to recover from a breach to consider. For example, Erie County Medical Center in Buffalo, New York spent nearly $10 million dollars to rebuild its systems after it was hit by a ransomware attack in April. ECMC declined to pay hackers the $30,000 ransom.

ECMC officials expect that number will increase as time goes on to about $250,000 to $400,000 per month to cover investments in upgraded technology and employee education.

“It’s tough to watch people go through that,” said McMillan. “But these providers made a decision to save money in the moment and hope it won’t happen to them -- and then it happened.”

Dale Nordenberg, CEO of Safety and Security Consortium for Novasano, said that while there’s a lot to do, the crux of the myth is that some hospitals think it’s okay to not aggressively find the budget to plan for security.

When it comes to connected medical devices, it’s understandably overwhelming, expensive and time consuming to find and secure all of those systems on the network, said Nordenberg.

“But it’s imperative to understand that a healthcare organization is bearing the risk until it updates its security profile,” said Nordenberg.

Another issue with this mentality is the idea that if a provider can feign ignorance about the devices connected to the network, the provider is not obligated to fix the issue.

“In this day and age, it won’t hold true,” Nordenberg said. “Best efforts are going to bring much more benefits than with no effort.”

Whatever you do, don’t let the fear that there is simply too much work to do freeze you in your tracks. 

“Start somewhere,” Velasquez said. “You didn’t become a successful, large institution because it was too hard to grow.” 

 

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com