‘12 Breaches Cost Health Care $7 Billion; On Track to Be No. 1 Cyber-Attack Target 

By Alex Ruoff | June 04, 2013 07:53PM ET

Source: Bloomberg Govt

(BNA) -- The health care industry faced some $7 billion in data breach costs in 2012 and is expected to surpass the financial sector as “the most breached industry” in the United States in 2013, as it increasingly becomes the focus of cyber-attacks, a health care infrastructure security expert said May 22.

Protecting the health care industry from cyber-attacks has become a national security priority, as the number of attacks rises with the spread of health information technologies, Deborah Kobza, executive director and chief executive officer at the National Health Information Sharing and Analysis Center (NH-ISAC), said. NH-ISAC is a public-private partnership organization focused on data security in the health care sector.

Data breaches of health information are estimated to have cost the health care industry $7 billion in 2012, Kobza said at the “Safeguarding Health Information: Building Assurance through Health Insurance Portability and Accountability Act Security” conference hosted by the Department of Health and Human Services Office for Civil Rights and National Institute of Standards and Technology.

That cost is expected to rise in 2013, unless health care organizations better protect their information systems, she said.

The health care industry is expected to see more directed cyber-attacks this year than any other industry, a distinction now held by the financial industry, Kobza said.

“There's a lot of scary things happening, but the health care sector has a reasonable opportunity to get in front of this,” Kobza said.

At the heart of the security effort is the February executive order to increase information sharing on potential cyber-attacks between federal agencies and U.S. companies, including those in the health care industry, she said.

Training and Informing Business Leaders

The NH-ISAC is one of several privately led sector-specific organizations established by the White House to advance physical and cybersecurity critical infrastructure resources, Kobza said. NH-ISAC works to “create and maintain frameworks for operational interaction among its members” and defense agency partners, she said.

Kobza said her group routinely monitors cyber-attacks around the world and works with private-sector partners to develop guidance on protecting against known security threats.

NH-ISAC offers training on cybersecurity measures for chief information officers of health care organizations. Kobza said the training focuses on operational readiness exercises for handling cyberthreats and data breaches.

“Cybersecurity isn't just an [information technology] responsibility; it's the business side of the house that also needs to prepare,” she said.

Kobza said NH-ISAC has also been working to increase the number of professionals in the health care field who hold security clearances in order to share with them classified information on cyber-attacks.

NIST Cybersecurity Framework

The February executive order called on NIST to develop a cybersecurity framework, an outline for reducing the risk of attack, Kevin Stine, a NIST information security specialist, said.

The cybersecurity framework is being developed to identify security standards and guidelines applicable across all sectors of critical national infrastructure, including health care, Stine said.

The framework, expected to be completed and published by February 2014, will provide a “prioritized, flexible, repeatable, performance-based and cost-effective approach” to securing information systems against attack, he said.

Governmental agencies and industry representatives urged NIST to adopt a flexible standards framework to protect critical national infrastructure from cyber-attacks (78 PRA, 4/23/13).

On May 21, a NIST official told Congress that legislation may be needed to entice industry to go along with new cyberstandards (100 PRA, 5/23/13).

NIST and White House cybersecurity officials are hosting workshops throughout the year to develop the framework. The next workshop is scheduled for May 29 in Pittsburgh.