Due to the surge of data breaches in the healthcare industry – accounting for nearly 25 percent of all recent data breaches – a new Brookings Institution report dives deep into addressing the problem through new cybersecurity strategies. Following in-depth interviews with 22 healthcare organizations including providers, payers and business associates, Niam Yaraghi, a Brookings fellow, found many commonalities, some differences and one crucial detail among the healthcare organizations: all 22 organizations had experienced at least one data breach. In his report: “Hackers, phishers, and disappearing thumb drives: Lessons learned from major healthcare data breaches,” Yaraghi found that the healthcare industry is vulnerable for several reasons. Not only are medical records increasing tremendously in value on the dark web, but Yaraghi also explained that the federal government is not doing enough to keep patient records safe. Instead of relying on the federal government, the private-sector must align together to ensure these records are secured. Following a simple doctor’s visit, Yaraghi explains that medical records often travel through six or more separate entities until the process is completed and paid for. Due to this complex exchange of medical records, patients’ private medical information is left extremely vulnerable to breaches while healthcare organizations have done little in response. “Government incentives led healthcare organizations to adopt electronic health records without being ready to adequately invest in security technologies,” said Yaraghi. “Privacy breaches used to have little to no effect on the revenue stream of healthcare organizations, and thus, they did not have strong economic incentives to invest in digital security and patient privacy.” Clearly, that is no longer the case.
As a result, Yaraghi offers several suggestions moving forward. “In many of the interviewed organizations, privacy breaches could have been prevented had the organization spent enough on security technologies or diligently implemented and followed privacy policies,” he said. “Healthcare organizations now have access to both the knowledge and technology that is required to ensure the privacy of their patients, and thus should use these resources to their fullest potential.” However, no healthcare organization is completely immune to a data breach, signaling the value of cyber insurance not only to help recover from a data breach but also to fundamentally improve a healthcare organization’s cybersecurity practices. “To underwrite the privacy risk of healthcare organizations, cyber insurance companies will be willing and able to conduct timely and efficient audits and proactively manage their clients’ privacy protection efforts. Healthcare organizations will also have a direct economic incentive to reduce their cyber insurance premiums by addressing their security weaknesses and preventing privacy breaches.”