Michael Ebert, leader in KPMG’s healthcare & life sciences cyber practice, talks about why this might be, following a recent survey that found that an astonishing 81 percent of healthcare executives say that their organizations have been compromised by at least one malware, botnet, or other cyber attack during the past two years. “The vulnerability of patient data at the nation’s health plans and approximately 5,000 hospitals is on the rise and healthcare executives are struggling to safeguard patient records,” said Ebert in statement about the survey. “Patient records are far more valuable than credit card information for people who plan to commit fraud, since the personal information cannot be easily changed. A key goal for execs is to advance their institutions’ protection to create hurdles for hackers.”
Perhaps help is on the way, however. This week, the U.S. Senate passed legislation that will enable information-sharing to support cybersecurity, a move that the leading associations of CIOs and CISOs in the country have applauded. The legislation— the Cybersecurity Information Sharing Act of 2015 (CISA)—would give hospitals and health systems liability protection when sharing cyber threat information with the federal government with the aim of improving the nation’s detection, mitigation and response to cybersecurity threats.
The passing of CISA in the Senate as lauded by both the College of Healthcare Information Management Executives (CHIME) and the Healthcare Information and Management Systems Society (HIMSS). In a statement, CHIME said, “CISA will allow CIOs and CISOs to share threats and vulnerabilities through a secure national information-sharing infrastructure with the necessary liability protections in place and will not risk patient trust. As an important piece of the nation's critical infrastructure, it is vital that healthcare organizations have the tools and information they need to identify and more effectively defend against growing cyber threats.”
Opponents of CISA question its worth, believing it will move responsibility from private businesses to the government, thereby presenting a serious threat to consumer privacy. In particular, several big-name tech companies have already spoken out against it. Personally, I think the legislation will allow the government to better help organizations secure their information systems.
CISA alone will not cure the industry’s data security problems, but at the very least, awareness and insight should be gained. That being said, the onus is still on the organizations themselves to mitigate risk and better prepare themselves for potential threats. Until that happens, they could expect a lot more scare, and not just around Halloween time.
Comments or questions? Feel free to comment below or follow me follow me on Twitter @RajivLeventhal.