KPMG’s revealing survey about cybersecurity and what we can do about it
27 August 2015
Some of you may remember my post this spring about the breach of my family’s information by a major health insurer. I think about that a lot, as I am sure many of you do as well. It feels like we read about another major hack on a daily basis. We now have major governments funding hacks. The perfect is example is the recent breach of the IRS. This recent health IT survey by KPMG really caught my eye: 81% Of Healthcare Organizations Have Been Compromised By Cyber-Attacks In Past 2 Years. 81%! The survey covered both insurers and providers. I am stunned my mailbox does not overflow with notifications every day, but what concerns me is all of the breaches of which we are still blissfully unaware. It is particularly disconcerting because there are so many rules around patient privacy that we should be able to expect that our information is being managed securely. It is not. It would be easy to point fingers at those breached and blame it on their lack of preparation. And I suppose that is true in some cases. It would also be easy to point all the blame where it belongs, on the hackers. The big question for me, though, is what can I do about it? In short, the answer is not much. I can’t imagine querying an ambulance driver about the information security processes of a hospital. Even if they knew, would you divert to a different hospital based on the answer? Of course not. In a similar fashion, one would be unlikely to change insurers based on information about data security. But that doesn’t mean customers don’t care about it, and data security is something the audience of this blog can do something about. Regardless of your role in the company, ask some questions. Keep pounding the drum that our industry needs to stop being passive and needs to make the investment, even more investment, in security. We tend to think of the “big breach” as the area to invest, but there are so many more areas on which to focus. The survey showed that 35% of the respondents had a data breach from their own employees. So when you’re beating the aforementioned drum, make sure to discuss your internal risks too. As important, if you are in a position to do so, help ensure this is a topic discussed with the CEO of your company. They need to be aware, and be prepared, for the almost inevitable breach. Your company wants to handle it quickly, professionally, and competently. This would be in stark contrast to the insurer mentioned in my previous post, which took 3 ½ months to notify me, and started with my 4-year-old. In the words of Sergeant Esterhaus in the incomparable ’80s classic Hill Street Blues, “Let’s be careful out there.”