Bad actors targeting healthcare because of the rewards
Unfortunately, reports continue to place healthcare as one of the top industry sectors globally targeted by rogue nation-states and cybercriminals. Research last year conducted by Check Point Software found that cyberattacks on healthcare organisations increased by almost a quarter (22%) from Q1 2022 to Q1 2023. One of the reasons for this increase is the fact that there is “gold in them healthcare hills.” Certainly, the fact that healthcare organisations send, share, and store such large volumes of personally identifiable information (PII) and highly sensitive protected health information (PHI) is a key factor. So much so that it should come as no surprise that the annual “Cost of a Data Breach Report” by IBM and the Ponemon Institute has listed healthcare 12 consecutive years in a row as the industry with the highest average cost of a breach, with it now hitting an eye watering $10.1 million.
Too many disaggregated communication tools
Our Sensitive Content Communications Privacy and Compliance Report last year revealed that healthcare organisations often struggle to manage file and email data communication risks. Both inside their organisations and with external third parties. One of the reasons for this is the large number of systems healthcare organisations use to send and share private data. Nearly seven out of ten healthcare organisations say they have six or more sensitive content communication systems in place. This is more than any other industry sector. Something needs to change.
Ranking third-party content communications risk
When healthcare organisations are asked to rank the risk of their different communication channels, email and web forms are tied with the most number one ranks (20.5%). When ranks one and two are factored into the equation, however, email received the most listings with 39.5%. One of the ways email most poses a risk to healthcare organisations is related to challenges with its encryption. Especially when recipients cannot decrypt an email because it was encrypted in a format not supported by their organisation. Here, healthcare organisations often resort to asking the sender to resend the file or files unencrypted in an unpublished shared drive link. This is never a good idea.
Beyond email, file sharing and web forms tied with the second-highest risk assessment based on rank one and two. Governance plays an important role here. One-third of respondents say they only track and control access to sensitive content folders for certain content types. Another 28.5% only do so for certain departments.
Whilst risk management of third-party content communications is seen as a problem across many industry sectors, healthcare is at the top of the list. Almost four in ten (38%) of respondents say they require a new approach, or that their current approach requires significant improvement. Another 46% indicated some improvement is needed. And not before time. Survey responses corroborate concerns around risk with an incredible 98.5% of healthcare organisations saying they have experienced four or more exploits of sensitive content communications in the past year alone.
Better digital risk management is required
In my view, a lack of robust digital rights management is a big part of the problem. Though weaknesses across healthcare organisations are not all the same. For example, 41.5% of respondents said they have administrative policies in place for tracking and controlling content collaborating and sharing on-premises but not in the cloud. However, at the same time, 28.5% said the opposite. Namely, they have tracking and controls in place for the
cloud but not on-premises. Only slightly more than one-third say they have both the cloud and on-premises covered.
A Private Content Network could be the answer. A Private Content Network employs a content-defined zero-trust approach that would enable healthcare organisations to unify, track, control, and secure all their sensitive content communications in one platform. This would allow healthcare organisations to track and control access to files and folders, who can edit and share them, and to whom and where they can be shared. This could be a game changer as doing so would enable healthcare organisations to ensure private personally identifiable information, protected health information (PHI), financial records, insurance claims, and more would remain private and in compliance with increasingly stringent global regulations.
