One of the
most important lessons emerging from the recent string of major cyberattacks in
the healthcare sector is the need for executives to treat information security
as an essential component of business operations. Healthcare is becoming a bigger target for
hackers because hospitals, health insurers and others are rich sources of data.
In recent
months, hackers have launched major attacks on a number of healthcare entities.
Those include UCLA Health, which on July 17 reported a hacker
attack that affected 4.5 million individuals; Anthem, which was hit by a hacker
breach affecting nearly 80 million individuals; as well as Premera Blue
Cross and CareFirst Blue Cross Blue Shield.
Healthcare
organization are being targeted because they have not only treatment
information, but you have high levels of personally identifiable information -
not just Social Security numbers, but other information that can be used to
answer security questions and better pretend to be the victim/consumer.
Another
reason hackers are targeting healthcare is that most organizations in the
sector have less mature security programs than those in other sectors, such as
financial services.
One of the
biggest mistakes that healthcare organizations are making is taking too narrow
a view of information security, seeing it as only an infrastructure issue. The
reality in this evolving electronic information economy is that information
technology and information security have become a fundamental component of the
day-to-day business. Because of this misunderstanding of information technology
and information security, the right mentality and resources are not being
applied.
So the change
that needs to occur is seeing information security as an essential part of the
business operations. And healthcare ... will begin to see that patients will
demand better information security, and regulators will begin to punish those
institutions that haven't done a good job.
Ultimately,
senior executives must develop a better understanding of the importance of
information security. Once that happens, then you can start delving into some
of the details of what a sound information security program requires, and
healthcare can start making some of the fundamental changes we've been seeing
in other markets.
