By Lee Kim, Director of Privacy and Security, HIMSS
Twitter: @lkimhimss
In healthcare, the number and volume of the breaches are ever increasing. For many of these breaches, phishing is the initial point of compromise. The human tends to be the weakest link and so hackers tend to exploit the low hanging fruit. Much of the information which is exfiltrated ends up on the black market (e.g., medical identity information, intellectual property, financial information, etc.).
We often hear about healthcare information being very valuable on the black market. But, for anyone who may dare to look at the dark web or even public dump sites, the black market can indeed be somewhat of a scary place—or at least, eye opening. The type of information which is traded on the black market includes healthcare and related identity information and bad actors may use the stolen information to commit medical identity theft and fraud. Indeed, the Medical Identity Fraud Alliance has a lot of information on this subject, including a survey on point.
And, now, law firms that support healthcare organizations and other entities are the target of hackers. Law firms have valuable information, such as data on mergers and acquisitions, intellectual property, protected health information, and other types of sensitive information which they are entrusted to safeguard on behalf of their clients. Indeed, several law firms have reportedly been considering standing up a law firm information sharing and analysis center “to share and analyze information and would permit firms to share anonymously information about hackings and threats on computer networks in much the same way that bank and brokerage firms share similar information with the financial services group.”
All businesses, including healthcare organizations, need to make cybersecurity a business priority. Just like other kinds of risk management, cybersecurity needs to be part of the equation. Reacting to incidents, in the long run, will only prove to be very costly for your organization, in terms of expenditure, manpower, and damage to your organization’s goodwill. Instead, appropriate investment needs to be made in technology and skilled personnel to detect and remove hackers from systems and to make it more difficult for hackers to infiltrate into the systems.
In addition, avoid being low hanging fruit for the hackers. Practice good cyber hygiene, adopt and implement an appropriate security framework for your organization and best practices, have a culture which embraces information security, be vigilant, and call in the good guys when you are in need of help (or even before there is a problem). The importance of information security has increased as a priority for many organizations—it should have a high priority for yours as well. The cyber threat is real and we all need to stay ahead of it.
About the Author: Lee Kim is the Director of Privacy and Security at the Healthcare Information and Management Systems Society North America and a member of the SANS Institute Securing the Human Healthcare Advisory Board. Kim is licensed to practice law in Pennsylvania, the District of Columbia, and before the United States Patent and Trademark Office as a registered patent attorney. Kim holds an AV Preeminent® peer review rating in health care and intellectual property law.