What worries business executives the most these days? Lots of things, but cyber security breaches are certainly among the key concerns.
Nearly three quarters of the 300 business leaders surveyed by The Graham Co., a provider of insurance and employee benefits broker services, said they are most concerned about potential risks associated with cyber security threats to their organizations.[http://www.businesswire.com/news/home/20150826005116/en/National-Survey-Finds-Healthcare-Costs-Cyber-Security#.VeWwiutrnhU]
The survey also found that even though business leaders perceive that they are taking adequate measures to protect their organizations, in reality they’re falling short of doing what is necessary to mitigate the risk associated with these potential threats.
“In the modern-day business environment where everything is interconnected, the potential threats facing a business are immense,” said Ken Ewell, president and COO of The Graham Company. “This complexity of risks has caused many business leaders to become overwhelmed and unknowingly expose their businesses to risks that threaten their bottom line.”
When asked to consider the single biggest risk facing organizations, the business leaders’ opinions varied. But cyber security had the highest proportion, with 21% of the survey respondents identifying it as the number one risk they were most concerned about. Tied for the second greatest risk was professional liability (for example, employee errors and omissions) and legal liability issues (16%), followed by healthcare costs (14%).
The survey results show that companies’ concerns regarding cyber threats are significant. Nearly half of the respondents said they felt there was a significant level or risk regarding a hacking incident leading to theft of customer information; the inability to use the organization’s network; theft of employees’ private information; theft of intellectual property; and inability to access the organization’s Web site.
One sector that surely has a right to be concerned about security is healthcare. Companies in that industry are mandated by the Health Insurance Portability and Accountability Act (HIPAA) to protect patient data from intrusions.
But according to a recent study by consulting firm KPMG, [http://advisory.kpmg.us/content/dam/kpmg-advisory/PDFs/ManagementConsulting/2015/KPMG-2015-Cyber-Healthcare-Survey.pdf], entitled, “Health Care and Cyber Security: Increasing Threats Require Increased Capabilities,” four-fifths of the 223 executives at U.S.-based healthcare providers and payers say their information technology has been compromised by cyber attacks.
“At the core of the increased risk to healthcare organizations is the richness and uniqueness of the information that the health plans, doctors, hospitals and other providers handle,” the report says. “Apart from typical financial fraud, there is also the possibility of medical insurance fraud, or, in the case of providers, attacks on computer-controlled medical devices. As this is the largest part of the U.S. economy and a safeguard of peoples’ well-being, healthcare is a matter of national security.”
Despite the significant repercussions of a cyber attack, the healthcare industry lags in terms of its preparedness for cyber threats, KPMG maintains. “Hackers will find opportunities to exploit flaws in the way healthcare organizations currently fund, manage, enable, organize and implement their information protection capabilities,” the report says.
In terms of technical capabilities, the study notes, “the healthcare industry is behind other industries in protecting its infrastructure and electronic protected health information (ePHI)—as commonly seen in the use of outdated clinical technology, insecure network-enabled medical devices, and an overall lack of information security management processes."
The report describes how healthcare organizations are facing increased security threats by the adoption of digital patient records and the automation of clinical systems; the use of antiquated EMR and clinical applications that are not designed to securely operate in today’s networked environment; the ease of distributing ePHI both internally (via laptops, mobile devices, thumb drives) and externally (third parties, cloud services); the heterogeneous nature of networked systems and applications; and the evolving threat landscape, where cyber attacks today are more sophisticated and well-funded.
Some healthcare organizations might not realize the sophistication of hackers and their means to infiltrate confidential patient data networks, KPMG says. “Interconnectivity of data in healthcare holds huge promise for health outcomes—improving both quality and efficiency of medicine,” the report says. “The risks associated with interconnectivity are also great, however. The nature, depth and consequences of cyber attacks in healthcare have all changed, and the approach to containing those threats has to change and align with a healthcare organization’s objectives, as well.”
Healthcare is by no means the only industry struggling to secure its systems and data. Companies in all sectors are potential targets for attacks. The report by Graham shows that there’s a healthy concern for cyber security threats. It’s up to security executives, in many cases with help from third-party service providers, to build as strong a defense as possible.