Cybersecurity, Its Importance, Regulations, And Shortfalls
Cybersecurity is the protection of computer systems from theft or damage to the software or data that they contain. Cybersecurity, pertaining to healthcare and employee benefits, is the protection of computer systems that handle all privileged data and funds that are used with these plans. The priority of protecting an employee’s, patient’s or client’s information in healthcare and benefit plans is becoming more difficult; companies and institutions must use recent data breaches within the industry to evaluate their own vulnerabilities; they must continue to educate and train all employees to be aware of everyday cyber attacks; and they must keep adapting their security strategies to stay ahead of the evolving technologies being adopted by the industry.
Why Cybersecurity is Important
There is a lot at stake when it comes to the security of employee benefits. RMS liability consulting estimates there are over $8 trillion in retirement assets; over $1 trillion flowing through retirement plans from combined contributions every year; and over $50 million in self-insured or partially insured benefit programs. These and more, all add up to many desirable targets for hackers.
The area in which healthcare and benefits can be targeted is increasing. This is because of the massive growth in technological spending and innovation within the healthcare industry. The introduction of systems such as telehealth, cloud storage and connected medical devices (ex. Bluetooth pacemakers) have made the surface in which healthcare is vulnerable, grow exponentially. Traditional security measures like firewalls and password protection are becoming outdated. Hackers are taking advantages of the multiple users that interact with these technologies on a day to day basis. They are manipulating the amount of dependency that companies and providers put on these technologies.
Data in healthcare used to be unattractive to hackers. They didn’t see the purpose for going after it. However, nowadays, hackers are attacking it harder and faster. They don’t just want a patient’s social security number, they want the entire array of data. According to Forbes, the going rate on the black market for a social security number is 10 cents and a credit card number is 25 cents. An electronic health record though is worth hundreds to thousands of dollars. Medical records contain so much more than just a social security number or payment information. They contain your demographics; address, phone number, age, job, gender, etc. It is a record of everything that makes up your livelihood. This stolen information can be used to file false medical claims, false tax returns and even open lines of credit.
Security and Privacy Regulation
Healthcare businesses must remain compliant with all guidelines put forth by the Health Insurance Portability and Accountability Act (HIPAA) and that means guarding its patients’ or clients’ personal information. HIPAA current has a security rule in place that covers the guidelines for guarding sensitive data. It requires institutions to have policies and procedures in place to protect the confidentiality, integrity, and availability of electronic health information. Confidentiality protects all patient and client information from being discussed with unauthorized parties. Integrity protects the information from being stolen, lost or corrupted. Availability requires that requested information is readily available to those privileged to know. HIPAA security rule encompasses the guidelines specifically for electronic patient data (I need help here with how to cite a federal register). HIPAA also introduced the Omnibus Rule, a rule relating to the protection of personal health information among business associates and contractors. Penalties for noncompliance can range up to $1. 5 million per violation. This rule is continuously implementing new guidelines as technologies change. Recently, there have been guidelines set for mobile health applications and telehealth.
There are several types of threats when it comes to cyber attacks. First, we have one of the most common, ransomware. Ransomware is a malicious software that can take control of a user’s computer and hold it or its data files for ransom. The software encrypts the designated files and prevents access to the files until the ransom is paid. Ransomware attacks are very common and most users do not even realize they have occurred until they try to access a file that has been encrypted. When it comes to employee benefits these attacks pose a threat in the human resource department. These attacks aim to target commonly used data in the HR department that allows employees to conduct claims and gather day to day information on benefits. Attackers know that certain data files will need to be decrypted as soon as possible and that this will make businesses more likely to pay the ransom.
In 2016, hackers made $209 million from ransomware extortions in the first three months of the year. Merck, a pharmaceutical company, reported that ransomware attacks have cost them roughly $135 in revenue. Second, as of recently, there has been a trend in social engineering as a form of hacking. Another name for this is “con artist”. These hackers rely on manipulation and outsmarting the person they are trying to hack. They operate by a common principle called KISS. KISS stands for “Keep it simple, stupid”. These hackers will generally operate through email. They will try to impersonate a key employee within the business or a relative/dependent of the benefit. For example, they will typically request access to a benefit plan or request to move funds. These types of hacks commonly target lower employees at an employee benefits broker or the human resource department at a business.
One of the most common examples of a social engineering hack is something called a ‘phishing email’. These emails, just like how the name sounds, are used as bait. They are created to lure and trick the recipient into accessing a fake website or downloading a virus. They can also be hackers impersonating a key employee or client in order to trick the recipient into providing privileged information.
Part of the reason the healthcare industry is seeing a major onslaught of cyber attacks is a shortage of cybersecurity professionals. While cybersecurity jobs have always been in demand for industries like defense contractors and government agencies, there has been a recent boom in industries like finance, healthcare and retail. In the past five years, the healthcare industry has seen a 121 percent increase in the demand for cybersecurity employees.
Cybersecurity professionals generally hold the Certified Information Systems Security Professional credential. In the U. S. , there were 65, 362 professional who hold this certification. However, in one year, across all industries, employers posted nearly 50, 000 jobs requesting a CISSP certified professional.
As you can see, there amount of qualified professionals is barely enough if they all were to be searching for a job in any industry. However, for the healthcare industry to be attractive they must also meet competitive salaries and incentives that industries like high finance are easily able to meet. Thus, there is a massive gap between the demand and supply of certified cybersecurity professionals in the workforce.
Technology has its benefits in the healthcare industry, but it doesn’t come without its downsides. The major downside being that the rapid development of technologies is creating this demand for better and better security measures. Although frameworks and templates will create a good baseline for cybersecurity in healthcare, it will never provide you with the most optimal protection. Cybersecurity is like the flu shot. Every year you have to retake the flu shot because every year the flu virus mutates. Doctors have to keep tweaking the flu shot to fit the mutations that the flu virus undergoes. Well, this is just like cybersecurity. While you have your baseline security that will protect you against majority of risks. There will always be attacks that come at you in a new form or with new malware. You need to be able to adapt and tweak your security every year to what is happening across the industry.
Everytime there is breach in a healthcare or employee benefits company, all other companies should look at what the vulnerable cause was and make sure they are protected. Cybersecurity should always be a top priority in this industry. Whether it’s the top list of executives or the lowest employee in the company. Everyone needs to be well trained and on the look out for cyberattacks.
Cite this Essay
To export a reference to this article please select a referencing style below