14 DAY TRIAL // With cyber-attacks and intrusions occurring on a more frequent basis, most small healthcare organizations do not worry too much about failing to protect customer information should such an event happen to them, a study reveals.
The research, conducted by CSID, a company offering data breach solutions and proactive response and management against this type of events, showed that most participating healthcare facilities (28.6%) do not have a crisis plan to activate in case of a data breach incident.
Stricter security policies for employees are required
Despite this, and the fact that they are unprepared to counter such an unfortunate event, 83.3% are not worried about cybercriminals penetrating their systems and accessing information about their customers.
Even more, few of them have enabled two-factor authentication (2FA) for the personnel with access to the electronic health records, and do not have a policy for auditing the vendors that have access to patient data.
However, it appears that they understood the benefits of having a strong password, but unfortunately, this is far from being an impediment for hackers, who no longer resort to brute-force attacks to obtain access credentials. Their technique has refined and a strong countersign is not providing better security in case of phishing or vulnerabilities in Internet-facing computer systems facing.
According to the study, about half of the employees with access to patients’ records can also log into the personal email at work, increasing the risk of compromising a company computer or stealing the employees’ credentials. Once inside the company network, an intruder could move to sensitive areas of the infrastructure where financial information about the patients is stored.
Investing in data breach mitigation options has long-term benefits
Investment in security measures to proactively mitigate the risk of a breach, is done by only a small number of healthcare units, who spend less than 10% of the entire IT budget for data protection.
“With the rise of electronic medical records, one weak link can be devastating for the whole system,” said Joe Ross, president and co-founder of CSID.
Furthermore, among the findings of the study is the fact that these organizations lack the appropriate resources and knowledge to keep the information about their patients safely stored on their systems.
The risk is not only for the patients, since the company responsible with safeguarding sensitive details about them also records financial losses; these occur in the wake of a compromise and take the form of forensic investigation as well as identity theft services offered to individuals affected by a potential breach
“It is going to be increasingly important for all healthcare facilities to proactively protect against medical data theft by implementing stronger security protocols and having a breach plan in place,” said Ross.