|Editor’s Note: Cyber-attacks rose dramatically with data compromises and system breaches. Click HERE for how BHM develops high level cyber-security as a protection for your data, and proves it with HITRUST CSF. Do your service partners deliver this level of protection?
100 C-level technology, information and security executives at healthcare providers and health plans collected their thoughts for a recent report. The KPMG 2017 Cyber Healthcare & Life Sciences Survey of providers and health plans found a dramatic rise in computer system breaches, cyber-attacks, and data compromises, which include patient records, over the past two years. Despite that increase, more executives, who oversee protecting patient records and other information, say they are better prepared than two years ago to protect themselves against cyber-attacks.
“Healthcare payers and providers are on treacherous ground here and some organizations are underestimating cyber-security risks,” said Healthcare Advisory Leader Dion Sheidy.
“There needs to be a higher degree of vigilance among boards and executive suites as attacks become much more sophisticated, especially as doctors need to share information to improve quality and as connected medical devices and wearables proliferate. The WannaCry ransomware hack in May was a warning shot against our collective ability to protect patient safety and privacy.”
KPMG, which published its findings in a report titled “The Healthy Approach to Cyber Security,” found that 47% of healthcare providers and health plans said they had instances of security-related HIPAA (Health Insurance Portability and Accountability Act) violations or cyber-attacks that compromised data compared with 37% in KPMG’s 2015 survey — an increase of 10 percentage points. However, when asked about “readiness to defend against a concerted cyber-attack,” 35% said they are “completely ready” versus 16% in 2015.
Despite the rising threats, KPMG’s survey found
- cyber security as a board agenda item has declined over the past two years (79% versus 87% in 2015).
- disconnect regarding cyber investment in this volatile environment
- smaller percentage of healthcare companies made investments in information protection in the prior twelve months (66 percent versus 88 percent in the 2015 survey).
Data sharing with third parties is seen as one of the biggest vulnerabilities among healthcare providers and insurers with 63 percent of respondents mentioning it, topping Internet-enabled devices not fully controlled by IT and the lack of resources/budget. Yet sharing data is an important element of coordinating care and succeeding in a healthcare reimbursement environment that is moving away from paying for activity (fee-for-service) and toward outcomes.
Both payers and providers were opting to focus on investing in technology rather than process and staffing. “A solid cyber security program needs people, processes and technology and short-changing staff and the process structure needed to adequately govern, manage and monitor the technology is a faulty approach,” said Michael Ebert, leader of KPMG’s cyber security group in healthcare & life sciences.
“Software can only protect you so far and staff is important when it comes time to respond to a data breach. The respondents that are not emphasizing staff and processes are underestimating the threats or creating a false sense of security among their management and board.”
Only 15 percent of respondents said that increased or higher quality staffing are needed to make their organizations more effective in cyber security
- “overarching strategy” was seen as the biggest need by 24%
- “Stronger processes” at 21%
- “increased funding” and “better technology” at 20%
- staff (hiring, training) ranked last at 24% in areas where organizations planned to make investments
- trailing planned investments in stronger policy, technology, consulting, managed services and hardware.
The KPMG 2017 Cyber Healthcare & Life Sciences Survey asked 100 C-level technology, information and security executives at healthcare providers and health plans about their overall readiness, vulnerabilities and resources dedicated to protecting data. A separate cyber security survey was conducted with 100 executives at biotech, pharmaceutical and medical device companies.