When you think about the word security, what images come to mind? There’s a pretty good chance a bank vault is one. And for good reason: banks have been in the business of locking down and protecting assets for as long as they’ve been around.
And, when it comes to the online world, banks also have a head start on many industries. They’ve been wiring funds for more than a century and providing digital services to customers for more than 30 years.
Healthcare providers share many of the same cybersecurity challenges banks do, but, to be fair, are playing catch up, both in terms of digital services and in the safeguarding of them.
Leading with digital services
Today, 80 percent of Americans prefer digital banking over visiting their local bricks-and-mortar branch, and a few years ago smartphones exceeded computers for banking. That’s a lot of trust to be earned — or lost.
With so much money digitally changing hands, and the personal information of so many customers to protect, is it any surprise that banks have invested more heavily than other industries in cybersecurity? With a lengthy history of dealing with cyber threats and adopting technology early, banks are familiar with the risks they face.
Perhaps more importantly, banks understand that being secure makes them money. According to ConsumerAffairs, 82 percent of bank customers haven’t switched institutions because their current bank has a secure, intuitive, and convenient digital banking platform.
What do banks and healthcare have in common in cybersecurity?
Like banks, healthcare organizations have extremely valuable assets to protect, and are increasingly reliant on digital processes. Electronic health records (EHR), for example, are a blessing to clinics and practitioners in serving patients, operating efficiently, and improving health outcomes. They also introduce risk and privacy considerations, especially given the increase in remote employees.
The personally identifiable information in an EHR is the brass ring for hackers since it often includes all the data — dubbed “fullz” by fraudsters — they need to steal an identity.
And, just as mobile banking is on the rise, the COVID-19 pandemic of the past few years has dramatically increased use of telehealth services by both clinicians and patients. Like it or not, healthcare is also going online.
Both industries are highly regulated, with some of the strictest compliance requirements. In fact, both are considered critical infrastructure by the US Cybersecurity and Infrastructure Security Agency (CISA).
Breaches are costly. Security incidents in banking are incredibly expensive (on average $5.97 million), but pale in cost to those in healthcare — which has for 12 years in a row had the highest average costs associated with a breach ($10.10 million).
It’s also worth noting that both are industries built on trust. If your banking customers or patients don’t trust you, you have nothing.
What can healthcare learn from banks and financial services companies to help better secure their networks, and protect their employees, partners, and patients?
Lesson 1: Invest in security
Well, first, there’s some catch-up to do. While banks have been investing in cybersecurity for years, it has often been deprioritized in healthcare. Despite the wake-up calls of many incidents around the world, studies consistently show healthcare lags behind other industries in cybersecurity investment.
While banking looks at cybersecurity investment through the lens of a single, all-encompassing necessity, many healthcare organizations begrudgingly and disjointedly deploy cybersecurity measures only in response to an attack. As a result, healthcare is hit hardest among all industries by breaches and ransomware attacks. In 2020, nearly 80 percent of all reported breaches were in healthcare organizations, and it hasn’t improved.
For small and mid-sized clinics and practitioners, even making the investment can be a challenge. Rarely can expert cybersecurity resources be found within such organizations and finding and hiring them in today’s talent-scarce marketplace is also no easy task.
This brings us to the second lesson to be learned from banks…
Lesson 2: Collaborate
In addition to remarkable spending on cybersecurity — the Bank of America, for example, boasts a more than $1 billion a year investment — as leaders in threat protection banks collaborate heavily across the industry on cybersecurity. An important lesson the banks have learned is to improve and develop standards in cybersecurity, and not rely merely on mandates. The FS-ISAC forum is a prime example of this, in which financial services share threat intelligence to improve cyber security industry-wide.
Because of this level of cooperation, banks more frequently have benchmarks around tactics (the “how” to protect things) rather than the regulatory mandates (the “what” to protect) commonly found in healthcare. Working more closely together the industry could glean a lot from its members.
For mid-sized and smaller healthcare organizations, collaboration is a key to building a more successful defense. Not just with partners, hospitals, and other stakeholders, but with outside security experts that can shore up your security posture.
For a peek at some of that expert advice, check out our recent eBook, Modern Cybersecurity for Healthcare.
For example, ActZero has the healthcare-related bench strength to augment and enhance whatever resources a healthcare organization has in place. Our virtual CISO can provide specific counsel around how to meet compliance requirements, while our skilled threat hunters are able to ferret out and thwart cyber threats.
It’s time that healthcare organizations recognized how valuable the data they are storing is and to put it in a vault, like their counterparts in financial services. If we keep neglecting cybersecurity in the healthcare industry, more breaches and disruptions are something we can bank on.
Not sure where to start? Let ActZero help with our free Healthcare Ransomware Readiness Assessment. In less than four hours we’ll review your organization’s current level of risk, monitor the dark web for compromised accounts and mentions of it, and let you know what to do to remediate risks — all without any disruption or cost.