The healthcare industry is familiar with epidemics. But now another one worthy of attention is the spreading risk of healthcare hacks. Data breaches or other cyber attacks can impact services and endanger patient privacy. They also wreak havoc for healthcare marketers. Understanding the challenges can help the marketing team better prepare for the worst.
Understanding the Problem.
Cybercrime is increasing across the board, and healthcare suffers the most attacks of any industry. Attackers easily evade perimeter defenses, with 164 threats detected per 1,000 host devices, according to Vectra’s recent Attacker Behavior Industry Report.
“From medical records, to insurance and credit card information, pharmaceutical data, high-profile records and medical research data, the healthcare industry represents a bounty for criminals.” — IBM healthcare report
Healthcare targets can be quite low risk and high profit. Medical identities are highly sought after on the global black market. In 2016, a total of 325 large-scale PHI data breaches were reported, compromising 16.6 million individual patient records, according to CynergisTek/Redspin’s State of Cybersecurity in Healthcare report.
Healthcare also has the highest per-record cost for lost or stolen sensitive data at $363 per record, according to a 2017 IBM/Ponemon report.
The high value of the target is just one of many reasons the industry’s exposure to attack is on the rise.
Another is the significant increase in Internet connected devices and the expansion of the Internet of Things (IoT) in healthcare settings. For example, a recent Synopsys and Ponemon survey of 604 medical device manufacturers and healthcare delivery organizations (HDOs) found the majority—67 percent of manufacturers and 56 percent of HDOs—believe an attack on a medical device they built or use “is likely within the next 12 months.”
The difficulty in securing these medical devices—due to accidental coding errors, lack of knowledge/training on secure coding practices, and pressure on development teams to meet product deadlines—doesn’t help. Synopsys found that only 17 percent of device makers and 15 percent of HDOs are taking significant steps to prevent attacks.
“The security of medical devices is truly a life or death issue for both device manufacturers and healthcare delivery organizations,” said Ponemon Institute chairman and founder Dr. Larry Ponemon.
Simultaneously, there are concerns in the healthcare industry regarding the growing prevalence of cloud solutions. These raise issues about ownership of data, lack of transparency, and insider threats, along with the more familiar cybersecurity fears. The 2017 HIMSS Cybersecurity Survey also identified the need to be proactive regarding vulnerabilities related to business continuity and disaster recovery.
Attacks exploit numerous vulnerabilities via ransomware, point-of-sale systems, phishing, and drive-by malware. While the largest 2016 breach was at Banner Health, with approximately 3.2 million patient records affected, other breaches also occurred at smaller targets such as ambulatory clinics. The HIMSS report authors noted, “It may be that these are ‘easy targets’ since many small practices lack the necessary IT security resources and expertise to implement effective security protections.”
Unauthorized access, theft, loss, and improper disposal were also at the root of 2016 data breaches. For instance, a stolen, unencrypted laptop may have exposed PHI for patients in the California Correctional Health Services system between 1996 and 2014.
Any of these types of attacks can be devastating to a healthcare organization. Regardless of the reason for the privacy or security breach, the attack erodes trust.
Is there any good news?
The current cybersecurity context for healthcare is headache inducing. Yet, there are still positive signs. According to the 2017 HIMSS Cybersecurity Survey, 71 percent of organizations surveyed allocate specific budget toward cybersecurity. Additionally, 80 percent of the organizations surveyed employed dedicated cybersecurity staff.
While there is always room for improvement—as the threat landscape is constantly evolving and the bad actors are adaptable and highly motivated—the HIMSS labeled its results “encouraging” as “many organizations are making security programs a priority.”
The 2017 survey also found:
- Of the 71 percent of respondents whose organizations allocated a specific part of their budget toward cybersecurity, 60 percent allocated 3 percent or more of the overall budget.
- 75 percent had some type of insider threat management program at their organization.
- 85 percent conducted a risk assessment at least once a year.
- 75 percent regularly conducted penetration testing.
This all suggests that healthcare organizations recognize the reality of cyber threats in the industry and are acting to protect and prevent. HIMSS Director of Privacy and Security Lee Kim, “the current stance of the healthcare providers is that they have dug deeper into this area and are getting much more serious.”
How does this impact healthcare marketers?
What, though, can healthcare marketers do to dig deep and up their games in relation to cybersecurity threats?
Have an action plan in place.
The number of healthcare provider and plan compromises is rising. Some 47% of respondents in a recent KPMG consulting study reported security-related HIPAA violations or cyber attacks, compared with 37% in 2015.
While the types of attacks vary—phishing emails, malware, external hacking, internal bad actor, ransomware—the process for responding to a threat should remain the same.
Just as the organization needs a plan ready to report to the necessary law enforcement and industry-compliance authorities, healthcare marketers should be ready to answer to the public. A Harvard Business Review article suggests discussing in advance:
- Who is best suited to address the crisis from your company’s breach response team.
- Who will make decisions around messaging and communication in real time.
- What your data assets and potential risks are, to anticipate possible responses.
- Ways in which your cybersecurity framework for managing risk ties to business values.
- Possible brand impacts based on legal obligations, industry standards, and public opinion.
- Who in the community—partners, investors, media contacts—can help you impact public opinion during a cybersecurity crisis.
- Additional training you might offer authorities within the organization who will become go-to spokespeople in a cybersecurity crisis.
- Parameters for information disclosure in the hours, days, weeks, and months following a cyber attack.
Be ready to manage in a crisis.
A breach of PHI is not the only scenario you might face. Be ready also for a denial-of-service (DOS) or ransomware attack that threatens operations at the healthcare organization. A cybercriminal could hold hostage mission critical systems or, in a less damaging example, slowdown of patient-scheduling software.
For example, the global WannaCry ransomware attack earlier this summer crippled the UK National Health System and two large U.S. hospital systems. And as recently at August 29, Scotland’s NHS Lanarkshire was confirming it had been hit again with a second strain, Bit Paymer, which breached its system and caused disruption to patient care.
This puts marketing and PR teams to the test in addressing public and media concerns while a situation is in progress.
Managing the public perception of the damage is critical. Timeliness and transparency should be top goals in planning ahead for how to handle a breach. Be clear and direct, providing as much information as possible about the impact and what is being done for victims. You’ll want to be able to identify:
- Who is impacted
- What data is breached
- How people can find out if they are at risk
- Next steps for victims
- How the breach happened
- When it was discovered
- What is being done to prevent this from happening again
Be professional, apologetic, and reassuring. Ultimately, it’s important to show that the healthcare organization is taking the issue seriously and is committed to addressing any concerns. Withholding information or delaying a response can prove to be only more damaging to the brand’s credibility.
Relationship building is a long-term effort. Your marketing has already been working to develop a brand personality with a personal touch. Try to keep this brand voice in mind even when you are strategizing your response to a crisis scenario. Being consistent in communications—even under pressure—can help with the ongoing mission to build brand trust and foster credibility.
Time to campaign internally, too.
This threat landscape may also present an opportunity for marketers to develop internal marketing for the healthcare client. A leading source of data leaks is human negligence. An employee might lose a portable storage device containing data records, unintentionally disclose information on websites, or fall victim to social engineering such as phishing.
Build a risk-aware culture by developing a campaign to educate insiders about the risks of cyber attack and strategies to secure data, networks, and systems, as well as physical premises. This investment could go a long way as a preventative measure.
The “it won’t happen to us” mentality is the most dangerous. Marketing is about messaging—make sure the message to be cautious and be prepared for the worst is getting out in your healthcare organization.
MDG Advertising, a full-service advertising agency with offices in Boca Raton and New York, NY, is one of Florida’s top healthcare marketing companies and branding firms, whose healthcare clients include Dental Care Alliance, MDVIP, Max Planck Florida Institute, HCA East Florida, Primary Pharmaceuticals, and MD Now. MDG’s core capabilities include branding, logo design, print advertising, digital marketing, mobile marketing, email marketing, media planning and buying, radio and TV advertising, outdoor, newspaper, video marketing, infographic development, website design and development, content marketing, social media marketing, and SEO.