For an industry that holds some of the most valuable information on the dark web, the health care industry is falling behind when it comes to cybersecurity. Just this month, data for 3.7 million people was exposed in a series of attacks on Banner Health. Another breach on Newkirik products, a company that provides ID cards for Blue Cross and Blue Shield carriers, resulted in 2.2 million compromised records. While research firm Frost & Sullivan predicts health provider spending on cybersecurity will increase by more than 13 percent in the next five years, Niam Yaraghi, a fellow in the Brookings Institute’s Center for Technology Innovation, believes we can improve security without such a drastic increase in cybersecurity spending. “Unlike healthcare organizations, the banking sector has mastered the art of mitigating the consequences of privacy breaches,” he explained.
Yaraghi suggests banks quickly notify customers of breaches, immediately freeze the affected cards and distribute new ones. “On the other hand, the response of healthcare organizations to a data breach only consists of panic, mandatory reporting and in some cases, provision of identity theft protection,” Yaraghi said. “Despite the fact that medical data breaches can be disastrous for patients, healthcare organizations have no viable strategy or technology to effectively reduce the negative consequences of data breaches.” Not to mention, health care companies choose to wait to go public after a cyber incident due to fears that it will negatively affect business, which only increases costs in the long run. So what’s next? Yaraghi believes it starts with the federal government. Departments such as the FBI’s cybercrime division and the HHS can “shed considerable light” on the issue. All in all, the health care industry must have a proactive, not reactive, policy that addresses cyber incidents on the front-end.