In a recent KPMG survey of 223 healthcare executives, a full 80 percent stated that their information technology had been compromised by cyber attacks.
Let’s think about this for two seconds… 80 percent!!! Possibly, a portion of the remaining 20 percent had not yet known that they were a part of the 80 percent. After all, how many clients have you taken on only to find that their network was being compromised or had been compromised?
In healthcare especially, the question is not if providers will experience a breach or cyber attack, but rather when. How will they respond, and what will the fallout be?
Why Are So Many of These Cyber Attacks Successful?
The healthcare community has been dragged, nearly kicking and screaming into the digital age. Well, not so much dragged as incentivized, but there's been plenty of kicking and screaming. Now more healthcare information is digital and with that, comes the need for digital security and safeguards.
Many providers are using outdated or insufficient EMR (electronic medical records) software. Many software vendors have products that are not adequate for today’s networked and connected environments. So proper security of these systems is left to each provider. In most cases, security is either very basic or non-existent.
Another issue is how easy it is to distribute ePHI (electronic protected health information). With old paper records, it would be nearly impossible for someone to steal a large amount of records from a provider’s office. However, in the digital world, you can pack an entire office of medical records on nearly any modern USB drive, laptop, smartphone, tablet, etc. In addition, the ability to compromise networks and steal data is very real and not that difficult in smaller, independent provider offices.
The Internet of Things is quickly becoming an even greater problem. More and more “things” are connected than ever before. Copiers, medical devices, watches and more are all connected, and many times within the same environment with no access limitations between devices. This means that someone could hack a respirator pump, and then gain access to a server.
The evolving threat landscape is driven by big payoffs for health records. Threats today are much more sophisticated and rapidly changing. Even a small office breach could bring in tens of thousands of dollars on the black market or the Dark Web. These small, independent providers are low hanging fruit for hackers. In some cases, they are fruit on the ground just waiting for anyone to grab.
Top Cybersecurity Threats
Among those surveyed, 65 percent indicated that external hackers were their greatest vulnerability, followed by sharing data with third parties at 48 percent.
When asked what their top information security concerns were, 67 percent said it was malware infecting their systems, and 57 percent cited HIPAA violations.
What this shows MSPs is where their clients’ potential concerns are. It also provides proof that the healthcare market needs quality, HIPAA compliant MSPs. As IT solutions providers, MSPs are qualified to address nearly all of the vulnerabilities and concerns addressed in the study.
Let’s take a brief look at the concern they have about violating HIPAA. Did you know that if a medical provider hires an MSP that is not HIPAA compliant themselves, they are violating HIPAA?
That’s right, MSPs that fully support these healthcare clients MUST also be HIPAA compliant. Don’t let someone tell you that all you have to do is use encryption, follow security best practices and sign a BAA (business associate agreement). There is a lot more to HIPAA compliance than that.
Why would you even want to support a client when you don’t understand, care about or abide by their requirements? That’s bad business! If you are giving HIPAA lip service and not taking it very seriously, it could come back to bite you…hard!
Healthcare Attacks and Breaches on the Rise
There is plenty of proof that hackers are able to make much more money by stealing healthcare records (versus other data) and selling them. This makes healthcare clients very vulnerable to attacks and breaches.
The financial sector is still the most attacked, but it has spent 20 years focusing on cybersecurity and protection. Healthcare has relatively ignored these threats until recently. This lack of attention paid to cybersecurity and protection has put a strain on the healthcare industry, especially for small providers.
Many providers don’t have the necessary security in place to even know when they are being attacked. One KPMG client reported a 1000 percent increase in security incidents to their enterprise once they implemented an effective Security Operations Center (SOC) to intercept, interpret and report on threats.
I’ve seen this with our clients as well. In many cases, we put in a Unified Threat Management device accompanied with our remote monitoring and management (RMM) agent, and find out the amount of attacks to a client is in the hundreds or even thousands per day. Healthcare organizations are not well prepared to handle the threats they face.
For HIPAA compliant MSPs, the opportunities in healthcare are massive. However, entering the healthcare vertical is no small undertaking. To take on HIPAA, you have to become and remain compliant, learn and stay highly educated and implement continual staff training, to name a few responsibilities. Still, the ROI is certainly worth the investment when done right.
For healthcare organizations, they must incorporate cybersecurity in their environments and develop a strategic plan to defend their networks and ultimately their patient’s data.
MSPs can help these healthcare organizations further by helping them coordinate a cybersecurity action plan and staying actively involved in its enforcement. Providing ongoing awareness and training through multiple formats, like webinars, is also a great service to provide.
MSPs should take a big picture approach when managing cybersecurity for healthcare clients. Their unique needs will yield unique, lucrative opportunities.
Learn more about the healthcare IT market!