The KPMG 2017 Cyber Healthcare & Life Sciences Survey of providers and health plans found a dramatic rise in computer system breaches and data compromises, which include patient records, over the past two years. Despite that increase, more executives, who oversee protecting patient records and other information, say they are better prepared than two years ago to protect themselves against cyber-attacks, according to the survey by KPMG LLP, the U.S. audit, tax, and advisory firm.
"Healthcare payers and providers are on treacherous ground here and some organizations are underestimating cyber-security risks," said Healthcare Advisory Leader Dion Sheidy. "There needs to be a higher degree of vigilance among boards and executive suites as attacks become much more sophisticated, especially as doctors need to share information to improve quality and as connected medical devices and wearables proliferate. The WannaCry ransomware hack in May was a warning shot against our collective ability to protect patient safety and privacy."
KPMG, which published its findings in a report titled "The Healthy Approach to Cyber Security," found that 47 percent of healthcare providers and health plans said they had instances of security-related HIPAA (Health Insurance Portability and Accountability Act) violations or cyber-attacks that compromised data compared with 37 percent in KPMG's 2015 survey -- an increase of 10 percentage points. However, when asked about "readiness to defend against a concerted cyber-attack," 35 percent said they are "completely ready" versus 16 percent in 2015.
Despite the rising threats, KPMG's survey found that cyber security as a board agenda item has declined over the past two years (79 percent versus 87 percent in 2015). In addition, KPMG found a disconnect regarding cyber investment in this volatile environment. A smaller majority of healthcare companies made investments in information protection in the prior twelve months (66 percent versus 88 percent in the 2015 survey).
Data sharing with third parties is seen as one of the biggest vulnerabilities among healthcare providers and insurers with 63 percent of respondents mentioning it, topping Internet-enabled devices not fully controlled by IT and the lack of resources/budget. Yet sharing data is an important element of coordinating care and succeeding in a healthcare reimbursement environment that is moving away from paying for activity (fee-for-service) and toward outcomes.
KPMG's survey found that both payers and providers were opting to focus on investing in technology rather than process and staffing. "A solid cyber security program needs people, processes, and technology and short-changing staff and the process structure needed to adequately govern, manage and monitor the technology is a faulty approach," said Michael Ebert, leader of KPMG's cyber security group in healthcare & life sciences. "Software can only protect you so far and staff is important when it comes time to respond to a data breach. The respondents that are not emphasizing staff and processes are underestimating the threats or creating a false sense of security among their management and board."
Only 15 percent of respondents said that increased or higher quality staffing are needed to make their organizations more effective in cyber security, while an "overarching strategy" was seen as the biggest need by 24 percent. "Stronger processes" at 21 percent, and "increased funding" and "better technology" at 20 percent were also cited as big needs. Staff (hiring, training) ranked last at 24 percent in areas where organizations planned to make investments, trailing planned investments in stronger policy, technology, consulting, managed services and hardware.
The KPMG 2017 Cyber Healthcare & Life Sciences Survey asked 100 C-level technology, information and security executives at healthcare providers and health plans about their overall readiness, vulnerabilities and resources dedicated to protecting data. A separate cyber security survey was conducted with 100 executives at biotech, pharmaceutical, and medical device companies