By Augusto Melo, Information Security Analyst – Intrinium
Information security is often treated like a health insurance plan; most people are not willing to spend money on insurance because of the investment but are happy they did when an unexpected illness occurs. With some effort, most people can find a plan that not only fits within their budget but provides proper care to help with recovery and preventing illness. Unfortunately, the healthcare industry does not seem to follow similar risk management when it comes to protecting themselves against cyber-attacks.
The revenue in the healthcare industry has steadily increased year after year, with an estimated revenue of $8.734 trillion by 2020. This makes healthcare providers a valuable, high stake target for criminals. A well-known case involving a massive data breach occurred in 2019, resulting in the American Medical Certification Association (AMCA) having approximately 25 million patient records stolen. Such attacks not only threaten HIPAA compliance, but also have the potential to impact life-saving medical devices, emergency lines, and other business-critical applications or devices.
Even with an increase in the number of cyberattacks and sensitivity of healthcare data, on average, the industry does not invest enough in cybersecurity. According to the HCIC Task Force, the industry started actively investing in cybersecurity within the past couple of years. This delayed investment and security awareness creates problems, as hospitals now must balance the costs of acquiring expensive medical equipment, legacy infrastructure maintenance, and manage a highly interconnected environment. Moreover, when healthcare companies are a victim of cyber-attacks, they often lack proper expertise in Information Security, which can lead to excessive expenses. The ideal network monitoring and security controls tend to be considerably expensive and may have compatibility issues with legacy healthcare devices. Furthermore, the costs of licensing security controls, network infrastructure, maintenance, and hiring Information Security professionals can amount to millions of dollars per year. When executives understand the costs associated with all the investments and that it only has the potential to reduce risk and potential damages of cyber-attacks, the presumption would be that they would identify funds to support the program and staffing. However, with high financial investment, it is easier to comprehend why some organizations are willing to accept certain risks, and how and why information security may be neglected.
Nevertheless, as patients invest in healthcare insurance to reduce risks of illnesses and have proper recovery devices, healthcare providers must invest in cybersecurity to minimize risks and be able to recover from a disaster. Fortunately, the increasing demand for Information Security at lower costs has given healthcare providers a more affordable and reliable alternative: Managed Security Service Providers (MSSP’s). MSSP’s employ highly skilled professionals specialized in developing the ideal Cyber Security Plan that fits the specific needs of any organization while reducing the costs with human resources and infrastructure maintenance. Moreover, MSSP’s are on top of compliance checks (such as HIPAA, PCI, and GDPR), the latest cyber threats, and offer 24/7/365 network monitoring services. Having an MSSP bridges the gap between investment, scalability, and service reliability while enhancing security and reducing risk.
Although MSSP’s are not “cyber-health” insurance companies, they provide services aimed to keep a healthy environment: they will prescribe (security advisory) and apply treatments (antivirus scans and system recovery) for infections (computer viruses), work on preventive measures (malware containment and system patching), perform regular checkups (vulnerability scanning), and actively monitor a company’s network for any anomalies on a 24/7/365 basis. The result is a considerably safer environment that is less prone to infections and service disruptions. Do not wait for the next major virus outbreak or data-leak to invest in cybersecurity; just like in healthcare, the cost of treatment (e.g. recovering from a ransomware attack) are often higher than applying the proper prevention and disaster recovery.