By Ken Khouri, Director, Software Managed Services & Information Security
The unfortunate reality is that cybercrime pays. It pays really well for bad guys. That is because patient records are an order of magnitude more valuable than financial services records to criminals and they're often more easily stolen.
They're more easily stolen because the investment around security in healthcare lags behind other industries, especially financial services. By comparison, according to the SANS Institute, financial services invest about 10 to 12 percent of IT spend on security and in healthcare, it's typically 4 to 6 percent. More culprits are entering the cybercrime field, from organized crime, nation-state attackers, to researchers. Additionally, there are more and better tools being developed and made available to conduct nefarious activity. Expanded nefarious activity is leading to more ways for malicious actors to monetize their endeavors.
Two big examples of those are ransomware extortion via Bitcoin payments and also the theft and sale of patient health information on the Dark Web. Without a doubt, it's become a large and growing problem.
For healthcare providers who become victims, it's very difficult from a reputation and cost standpoint. First, they have to figure out what may have happened and the forensic analysis itself is expensive. Then they have to notify the patients and identity protection. By now, many people may have received letters regarding their information stolen either from a retail or financial service or healthcare institution. Healthcare institutions also have to deal with fines from Office for Civil Rights, the agency that enforces the HIPAA requirements. Finally, they have to deal with patient frustration directly and the potential for class-action lawsuits. Ultimately, they have to fix the issues that led to the breach initially. Based on analysis from Varian, as well as the Ponemon Institute, all told the costs add up and could be substantial, on the order of $7 to $13 million per episode for a typical patient database containing ~3000 patient records.
The cost to patients of having their medical identity compromised is even worse, both emotionally and financially, because they are already vulnerable. Cancer patients are fighting for their lives, as well as worrying about the well-being of their families. Many of them are concerned about their ability to afford treatment. The last thing a cancer patient should have to worry about is having their health information compromised and having to deal with the aftermath.
Cancer centers and oncology practices fight every day to save their patients’ lives and give them hope in the face of a terrible disease. Protecting the security of patient information is a different kind of fight; one that healthcare organizations must take seriously in order to protect their patients. At Varian, we're working to develop software solutions that help make this data more secure so healthcare organizations can continue to focus on fighting cancer. So what does that mean exactly? It means helping maximize the security of patient information, maintaining the integrity of treatment delivery, and further enhancing clinical uptime by helping defend against cyber-attacks. To read more on this topic and understand how Varian is tackling this issue check out this whitepaper.