Q&A: What healthcare providers should do after a data breach
Healthcare data breaches are costly incidents for organizations, and the high value of personal health information makes healthcare a prime target for cyber criminals.
Unfortunately, the rate of data breaches is increasing in the healthcare space as the interconnectedness of medical devices, health tracking systems and other digital health solutions offer more ways to infiltrate systems. These breaches can have devastating impacts, from high costs to irreparable damage to patient relationships and trust.
Health Exec caught up with Rob Kim, chief technology officer at digital solutions provider Presidio, to understand what healthcare organizations should do after a data breach.
Health Exec: What makes healthcare organizations such prized targets for cyber criminals?
Rob Kim: The healthcare industry is the top targeted sector for cybersecurity attacks. In fact, the number of exposed patient records doubled to 42 million from July 2021 to June 2022. Since healthcare entities often rely on outdated legacy systems, they are especially vulnerable to bad actors and malware. Layer on top of that the fact patient records have highly sensitive information, making healthcare data attractive for ransomware attacks and double extortion.
Many healthcare organizations are implementing applications and platforms to ensure compliance around data governance. From a patient perspective, their most sensitive data is patient records that in many cases are inefficiently recorded in multiple systems. This makes private patient data extremely valuable to sell on the black market, regardless if the providers pay a ransom or not.
As nothing is more critical than life or death situations, providers are often targeted for attacks because [healthcare] is the No. 1 sector in willingness to pay a ransom––though the resulting scenario typically leads to increasingly bad outcomes. While nearly half of healthcare organizations pay the ransom, only an estimated 2% get 100% of their data back. Additionally, the chance of another attack––in most cases by the same threat actor––is more than 80%.
HE: What do cybercriminals do with the data they obtain in breaches?
RK: For cybercriminals, money is always top of mind. Obtaining Social Security numbers and other in-depth personal information from patients allows them to commit identity theft or sell the information on the black market for a large profit.
HE: What are some of the most common responses from health systems after a data breach?
RK: For many health systems, this will depend on the size of the breach and what data was accessed. However, on average, cybersecurity breaches cost healthcare companies around $10 million, and 61% of healthcare organizations end up paying the ransom. This can open these organizations up to future attackers now it’s known they are willing to pay. However, patient lives are on the line if vital systems are not restored. It can be a matter of life and death.
In addition to this, healthcare providers should also take the incident as a learning experience. They must create an incident response plan, preserve any evidence of the breaches, contain the breach and start an incident response management process. It is imperative every healthcare organization conduct an annual security risk assessment to ensure future breaches can be prevented.
HE: What are the responsibilities of healthcare organizations once they are breached?
RK: Cyber-recovery planning must be a core component to incident response (IR), with regular testing of IR plans to ensure rapid incident preparedness. This will also improve cyber insurance coverage, as the ability to demonstrate recoverability will help lower premiums and increase coverage amounts by lowering overall risk for the carriers.
Healthcare organizations also have a responsibility to notify their patients within 60 days of the breach, in addition to notifying the Federal Trade Commission (FTC) and, in some cases, the media. Having a cyber recovery plan in place helps ease patient concerns when they are notified that their health data was compromised.
HE: What are the first steps a healthcare organization should take after a data breach?
RK: As soon as the organization identifies that a breach has occurred, immediate containment is step No. 1. Once the breach is contained, the next step is a comprehensive assessment on what was compromised and determine the size of the breach and who may have been impacted.
HE: What should they NOT do?
RK: Misleading or incorrect information can make matters worse and cause worry among patients and employees. Conversely, staying silent is not the answer either. The bottom line: release accurate information as soon as possible.
HE: What’s the best response that you’ve seen to a data breach?
RK: The best responses are often the ones we don’t hear about. When a company can quickly and quietly contain a breach, small or large, this signals that they had a strong incident response plan in place and were prepared as soon as it occurred.
The worst responses to data breaches typically relate to lack of preparation and notification. This is often displayed by incorrectly reporting breaches, and leaving out information, or by delayed or lack of notification to those who may be impacted by the breach.
HE: What are some of the best solutions to mitigate and prevent cyber attacks that you’re seeing health organizations implement?
RK: Healthcare organizations need a proactively defensive security posture, which is where investment in managed detection and response (MDR) will be critical. MDR solutions decrease the mean time to detect and respond to potential incidents, reducing risk and overall business impacts. Implementing this solution also allows for increased visibility and stronger security insights that can guide healthcare organizations on what remediation actions to take if an attack does occur.