Determining the right level for your IT security investment: a rural medical center facing threats of data breaches discovered that hospital IT security investments go beyond just dollars and cents
Fraud and medical identity theft are at all-time highs across the healthcare industry as criminals seek to exploit sensitive and highly valuable information. The increased incidence of healthcare data breaches is in large part a consequence of digitization of patient information, but it has been fueled by indiscriminate attacks by mostly foreign-based organizations.
In a recent survey conducted by the Ponemon Institute, researchers found that healthcare data breaches increased 32 percent from 2010 to 2011, with the average cost per organization growing 10 percent in 2011. At the same time, research indicates the healthcare industry is not putting necessary resources into IT security, with surveys showing the industry spends little more than half as much as other regulated industries do in this area. Wyoming Medical Center in Casper, Wyo., is a notable exception to this trend.
Lessons Learned in Wyoming
Wyoming Medical Center has successfully fended off its share of the types of IT security attacks the healthcare industry is typically seeing today. From its first security risk assessment in 1996, after HIPAA went into effect, to the ongoing technology security efforts taking place at the hospital today, Wyoming Medical Center has learned that investing in IT security is not only feasible on tight budgets, but also necessary if a healthcare system wants to maintain its reputation for putting patients first.
Wyoming Medical Center successfully held off attacks on its firewall first from Russia, then from Brazil. However, an initial IT security risk assessment revealed that the medical center was at risk not only from outside attacks that put patient information at risk, but also from internal threats, whether intentional (e.g., by a disgruntled employee trying to cause harm) or purely accidental.
Although Wyoming Medical Center had limited resources and staffing to stay on top of the quickly evolving technology, its leaders decided IT security should be a top priority. They pledged that the organization's patients would leave the hospital in better condition than when they came--with the security of their data assured.
Likening an IT security initiative to bringing in an outside auditor for financial audits, the medical center contracted with an IT consultant for a more thorough risk assessment to identify immediate trouble spots and to enhance the security of its IT network. The audit flagged a host of high-risk items the organization's leaders never suspected existed, such as lack of a disaster recovery plan and passwords that were not as secure as they should be in a healthcare provider setting.
In the first...