Your organization has just had a security breach and now you have to notify your management. You need to call your boss. This is never an easy call and invariably includes questions like: What data has been compromised? How bad is it and do we need to report a PHI disclosure? How and when did you find out about this? Have we closed the security hole? I thought we passed an audit or assessment recently. Why didn’t that new security product you just bought stop this?
You may have been fortunate and found the problem quickly, contained it, and can reassure your management that the expo-sure is limited.
Reality is often different. Studies by Proficio, Verizon, and others show that the majority of security incidents are discovered by third parties, and in two thirds of the cases not detected for a month or longer. Once detected over half of the cases took a week or more to contain.
Hackers like to target healthcare organizations
Cyber criminals target patient records, SSNs, and credit card numbers. Foreign actors are searching for intellectual property including proprietary medical research and processes.
Medical identity theft is growing and is a significant problem. According to the 2013 Survey on Medical Identity Theft conducted by Ponemon Institute, medical identity theft affects nearly 2 million people and has increased 20% in the last year.
Healthcare organizations are considered soft targets for the following reasons: