In the last month, at least four U.S. hospitals — and their thousands of patients and employees — were victimized by major cyber attacks. Malicious hacks into York Hospital in Oregon, Saint Joseph’s Healthcare System in New Jersey, Methodist Hospital in Kentucky and Hollywood Presbyterian Hospital either held hospitals hostage, or enabled broad access to the most private information and even wages. Hollywood Presbyterian hospital paid $17,000 to regain access to their EMR after hackers locked them out for 10 days. The initial cash demand was for $3.5 million. Next time that hospital may not get off so easily. Nor the hospital 100 blocks or 100 miles away.

Hospitals that have not beefed up their IT security recently or have no plans to do so are clearly in peril. Read on to learn more and download our special guide: “For Security’s Sake: Implementing a Risk Management Program.”

Recent estimates are that at least one health care organization a month will be affected by cyber crime, but as of 2016 that number is starting to look way too conservative.

Information security is a devious specter in hospitals; it hovers over every IT decision that is made, but is rarely central to those decisions. Why not? The consequences — major breaches in the security of protected health information (PHI) — are real and numerous.

General lack of awareness or concern within senior management about security risks — including cyber attacks — frequently keeps security improvements off the executive budgeting radar, even though implementation of sophisticated EHRs requires sharing more PHI than ever before.Your hospital’s security prognosis is uncertain unless you have a strong, sustainable security management program in place.

In many hospitals, EHRs and other  IT costs are perceived to be so high that CIOs are not provided with sufficient budgets for needed related security upgrades. This problem is exacerbated when CIOs and IT staff do not have specialized security expertise or knowledge of security requirements to make appropriate recommendations. Inadequate spending on security directly contributed to a mammoth uptick in security breaches in 2015. Our recent FFAQ about healthcare’s “Wall of Shame” provides the gruesome details.

As your hospital moves further through Meaningful Use / MIPS Stage 2 towards Stage 3, it is required to build and maintain a tight security environment. HHS pumped up HIPAA privacy and security requirements in late 2013 with the Omnibus HIPAA Rule.  Yet 2015 was the worst year ever for massive security breaches in healthcare and 2016 is already alarming. OCR’s Phase 2 of the HIPAA Audit program is underway and specifically targets risks to protected health information (PHI), along with “pervasive non-compliance” by covered healthcare organizations.

Nearly 95% of U.S. healthcare organizations have reported some form of security breach. According to a report by Grand View Research, the overall impact of cyber attacks in particular on hospitals and healthcare systems is nearly six billion annually and growing. Patient medical and insurance records are the key targets of these such attacks.