The healthcare industry has a big security problem. Medical data—worth 10 times more on the black market than a credit card number—is coveted by criminals. As a result, cyber attacks in healthcare are skyrocketing (up 125% since 2010) and are now the leading cause of data breaches.
But there are proactive steps teams can take to defend their customers, brand reputation, and revenue. Here are three top healthcare security challenges and how to tackle them.
Challenge 1: Cost pressures
Despite the soaring number of cyber attacks in healthcare, the industry spends very little on cybersecurity. ABI Research calculates cybersecurity spend for healthcare protection will only reach $10 billion globally by 2020, just under 10% of the total spend on critical infrastructure security.
This lack of investment ends up being expensive. In 2014, medical identity theft increased by nearly 22 percent. This amounts to an estimated $12 billion annual unbudgeted cost to the healthcare industry, further compounding existing budgetary pressures.
The solution: Create a business case for healthcare security
Investment in cybersecurity and consumer protection starts at the top. Create a business case for bolstering customer and brand protection by communicating the business impact. If you have a breach, for example, research suggests that 60% of your customers will think about moving and 30% actually do. Cyber attacks end up costing the US healthcare system $6 billion every year. Statistics like these will help reveal how investing in security helps drives business outcomes.
Challenge 2: Compliance and regulation
With healthcare data breaches expected to rise, government agencies, such as HIPAA (Health Insurance Portability and Accountability Act), are imposing regulations that are broader in reach than ever before.
Today’s penalties for data breaches are increasingly onerous: fines are bigger, notification requirements are more stringent, and enforcement agencies have new incentives for taking action against organizations that fail to protect healthcare privacy. And the requirement to publicly notify customers about the data breach means lost trust and tarnished reputations for brands, which negatively impacts the business’ bottom line.
The solution: Secure email with HIPAA’s privacy and security rules
HIPAA Privacy and Security Rules allow covered healthcare providers to communicate electronically as long as they apply reasonable safeguards when doing so. Follow these rules closely to secure your outbound email and avoid compliance issues.
Patients may initiate electronic communications, but the healthcare provider must make the patient aware of the potential risks of using unencrypted email. For example, healthcare providers may need to take certain precautions including:
- Checking the email address for accuracy before sending an email message
- Sending an email alert to patients for address confirmation prior to sending the message
- Limiting the amount or type of information disclosed through unencrypted email
Challenge 3: Outbound email as a threat vector
Email is a primary vector for healthcare organizations and professionals to communicate with clients and patients. It’s also the most vulnerable to attacks.
There’s no doubt that healthcare organizations should continue to build strong defensive controls against inbound cyber threats. However, when it comes to outbound email threats, the healthcare industry isn’t doing enough to protect customers. This needs to change.
The solution: Email authentication and email threat intelligence
Implementing DMARC (Domain-based Message Authentication Reporting and Conformance) is the best way to ensure that fraudsters cannot send emails spoofing your brand from any of the sending domains you control. DMARC ensures bad email gets blocked before it even hits the client’s inbox.
It’s also important to defend against the 70% of email attacks that spoof healthcare brands using domains the company does not own. Email threat intelligence empowers companies to see all email attacks spoofing the brand, and react quickly to shut down phishing sites before customers are compromised.
Want to learn more about fighting email fraud in healthcare? Check out this guide.