Cybersecurity in healthcare: It’s just not enough

The worldwide spending on IT security is projected to increase 34 percent, reaching $101 billion by 2018. In comparison, the healthcare industry averages much lower, with less than six percent of the total IT budget being allocated to security.

What makes the situation even more precarious is that cybersecurity breaches are costing more. A Ponemon Institute survey revealed security breaches are averaging at $4 million an incident. The research goes on to highlight that the average cost per stolen record in the healthcare industry was $451. This is over twice the average global cost of a stolen record of $376.

However, healthcare organizations across the globe are sitting up and taking notice of the wide-scale implications of a cyber attack in their workplace.

The 2016 Harvey Nash-KPMG survey found that 52 percent of interviewed healthcare CIOs said they would be seeing IT budget increases in the next year.

IT spending has been listed as a top priority for healthcare executives in previous reports, which bodes well for the industry being able to keep Protected Health Information (PHI) secure.

It’s a common misconception that cyber criminals restrict their targets to the financial sector. But what happens when a bank is breached is that financial records are immediately sealed, and new records are generated for the individual. This is the action that financial institutions took when 3.2 million debit card records were compromised in 2016.

However, banks were able to get a grip on the situation by issuing new cards and a whole new set of credentials.

A discussion with Unique Kumar, CISO, Max Healthcare throws light on what CSOs in the healthcare space ought to do to mitigate risks and take back control.  

Do you think the healthcare sector should sit up and take cybersecurity more seriously?   

There are multiple factors to this: One is the need of security, and the other is the use case. But if you talk about cybersecurity, that is the need of the hour. However, what’s more important to know is the environment you’re working in.

In healthcare, customer data is very sensitive. So, the CISO needs to ensure that there are adequate controls in place to prevent a data breach.

The CISO needs to ensure that whatever needs to be done to protect this data is done. And that includes drafting a budget plan, sharing it with the management, getting it approved, and roll it out.

Earlier, hospitals used hand-written prescriptions, but now with everything getting digitized, the need for security is paramount.

We need to understand and adopt technologies that are fit for the current environment.

The trend of cyber insurance in the healthcare cybersecurity space

Companies are talking about cyber insurance today, and I see people opening up to it and adopting it. But at the same time, a lot of CISOs are not turning to cyber insurance as the market is not mature enough.

Insurance still holds a stigma in the Indian market. People believe that taking an insurance bodes some sort of an unpleasant occurrence, and that keeps them away from it.

But as the market matures, there will be a boom in cybersecurity insurance in the Indian market. No one will be ready to bear the amount of risk.

What are you takeaways for CSOs in the healthcare sector?I believe, in the future, budget forecasting will include the cost of cyber insurance. Companies need to explore cyber insurance and see whether it fits their needs.

The learning process is an ongoing process; every day, there’s a new learning. Each person in the leadership team must evaluate and be aware of what’s the sensitive data in the organization.

They must figure out what are the sensitive points and the loopholes in the system, and based on that, outline a strategy based on short-term and long-term goals.

For healthcare, it’s imperative that stringent controls are put in place for the applications where customer information is stored.

This content is part of a special series on IDG Security Day, a day long global event, with the India chapter to be held in Mumbai on June 21, 2017.  

We invite you to join the conversation at #IDGSecurityDay. To keep up with the latest on security, follow  @cso_india  on Twitter and @CSOOnlineIndia on FB.