Organizations that experience data breaches can expect many negative repercussions such as loss of reputation, loss of customers and fall of share value. The impact of a data breach on a company’s reputation and share value has recently been studied by the Ponemon Institute.

The Centrify-sponsored survey was conducted on IT operations and information security professionals, senior level marketers, communications professionals and consumers. 31% of the 446 IT practitioners said they had experienced a data breach of more than 1,000 sensitive records in the past two years, while 62% of the 549 consumers surveyed said they had been notified by companies or government agencies that their data had been exposed as a result of a data breach in the past 24 months.

Data breaches are to be expected; however, the study suggests that the C-Suite and boards of directors do not fully appreciate the negative impact data breaches can have on companies’ reputations. The effect can be considerable. The Ponemon Institute tracked the share value of 113 publicly traded companies for 30 days prior to a data breach and for 90 days following the breach. On average, share value dropped by 5% following the disclosure of a data breach.

However, it is possible to stop a decline in share value following a breach, provided companies are able to respond quickly. Companies that had self-declared their security posture to be superior prior to a breach, and were able to respond quickly the security incident, regained stock value after an average of 7 days.

Companies that had a poor security posture and failed to respond quickly saw a stock price decline that lasted an average of 90 days. Organizations with a poor security posture and slow response were also more likely to lose customers as a result of the breach.

The potential for loss of customers is considerable. 31% of consumers said they discontinued their relationships with the breached entity following a data breach, while 65% said they lost trust in the organization after being affected by one or more breaches. The average losses reported by organizations with a low customer loss rate (less than 2%) was $2.67 million. A customer loss rate of 5% resulted in average revenue losses of £3.94 million.

The study also revealed that healthcare organizations are trusted the most when it comes to keeping sensitive information secure. 80% of consumers said they trusted their healthcare providers to protect their sensitive information with the industry ranking highest in terms of consumer trust, even though healthcare organizations experience 34% of all data breaches.

Aside from banking institutions, which were trusted by 77% of consumers, trust in financial institutions was far lower. Only 26% of consumers trusted their credit card company to protect data, even though credit and financial institutions account for just 4.8% of data breaches.

The post Ponemon Study Reveals Impact of Data Breaches on Organizations’ Reputation appeared first on HIPAA Journal.

The Health Care Industry Cybersecurity (HCIC) Task Force was formed by Congress, as required by the Cybersecurity Act of 2015. The purpose of the HCIC Task Force is to address the cybersecurity challenges faced by the healthcare industry and help the healthcare industry improve cybersecurity defenses and prevent security breaches.

The Cybersecurity Information Sharing Act of 2016 required the Health Care Industry Cybersecurity Task Force to issue a report detailing improvements that can be made to improve cybersecurity in the healthcare industry. The final version of the report was released on Friday June 2.

The HCIC Task Force explains in the report that the high number of hacking incidents, ransomware attacks and data breaches reported to the Department of Health and Human Services’ Office for Civil Rights in recent years clearly show the healthcare industry is struggling to secure networks and data.

The HCIC Task Force says many healthcare organizations believe cybersecurity vulnerability is low. Recent breaches and ransomware attacks have shown that assumption is false. While recent data breaches have highlighted the very real risk of security incidents and data breaches, addressing vulnerabilities and improving security is a major challenge.

Most healthcare organizations have extremely limited budgets and lack highly skilled cybersecurity personnel.  Infrastructures make it difficult to identity and track threats and a lack of skilled staff means many healthcare organizations cannot easily translate threat data into actionable information. Even if threat information can be turned into actionable information, many organizations do not have the capability to act on that information.

However, these cybersecurity threats place the safety of patients at risk. Recent ransomware attacks have shown that access to patient data can be blocked, while vulnerabilities in medical devices could be exploited to cause patients serious harm. The report says, “health care cybersecurity is a key public health concern that needs immediate and aggressive attention.”

Prior to writing the report, the HCIC Task Force consulted experts from other critical infrastructure sectors and received briefings on strategies and safeguards that could be implemented to address key cybersecurity threats. The Task Force also spoke with stakeholders on the challenges faced by the healthcare industry.

One of the key problems identified in those discussions is severe budgetary constraints. That means healthcare organizations are faced with a choice of purchasing cybersecurity technologies to secure networks and data or buying new, much needed medical equipment or paying staff costs.

However, if vulnerabilities are not addressed and action not taken to improve security the safety of patients will be placed at risk.

In a recent blog post, Steve Curren, Director of the Division of Resilience in ASPR’s Office of Emergency Management, said “The Office of the Assistant Secretary for Preparedness and Response understands that healthcare facilities are facing these challenges right now and we have developed a collection of peer-reviewed resources on cybersecurity to help healthcare industry stakeholders better protect against, mitigate, respond to, and recover from cyber threats, in order to better defend patient safety and operational continuity.“

Task Force Co-Chairs Emery Csulak and Theresa Meadows explained that “While much of what we recommend will require hard work, difficult decisions, and commitment of resources, we will be encouraged and unified by our shared values as health care industry professionals and our commitment to providing safe, high quality care.”

In the report, the HCIC Task Force made several recommendations to improve healthcare cybersecurity and detailed six high-level imperatives:

The authors say, “The successful implementation of these recommendations will require adequate resources and coordination across the public and private sector. Once implemented, the recommendations will increase security for the health care industry’s organizations, networks, and associated medical devices.”

The report has changed little from the pre-release version released early last month. The final version of the 88-page report can be viewed on this link.

The post Final Healthcare Cybersecurity Task Force Report Details 6 Imperatives to Improve Security appeared first on HIPAA Journal.

Ascension Health, which runs the Seton Healthcare Family hospital network in Austin, TX, announced earlier this week that a computer virus had been discovered on its computer network. The hospital network was alerted to a potential cyberattack on Sunday when ‘suspicious activity’ was detected on the network.

In response to the suspected cyberattack, Seton Healthcare shut down around 3,600 devices as a precautionary measure while the incident was investigated. The suspicious activity was attributed to a virus, although no details have been released on the nature of the malware.

IT teams worked quickly to remove the virus and secure its network. The computer systems used by Dell Seton Medical Center and Dell Children’s Medical Center were quickly restored, although Seton Medical Center Williamson and Seton Medical Center Hays continued to be impacted by the incident until Wednesday, May 31. The Seton Smithville Regional Clinic and Seton Shoal Creek facility were unaffected.

The fast response by Seton Healthcare reduced the impact of the cyberattack. Staff had been drilled to expect incidents such as this and policies and procedures could be quickly implemented in case of malware, ransomware or hacking incidents. As this incident shows, healthcare organizations need to be prepared for security incidents and have the capability to respond rapidly.

A statement about the incident was issued earlier this week by Ascension Health confirming there were “no patient safety issues” and “no devices have been reported as encrypted by ransomware.” Systems were shut down as a safety precaution, with staff members moving to paper records while systems were down and the virus was removed. Ascension Health said “The attempt was unsuccessful, so no data was encrypted or lost.”

Out of an abundance of caution, emergency medical services were instructed to redirect some patients to other hospitals during the seven hours that the systems were down on Sunday night out of safety concerns. Additional members of staff were also called in to ensure patient safety was not affected.

The post Seton Healthcare Family Hospitals Targeted by Cybercriminals appeared first on HIPAA Journal.