Data breaches haven’t just damaged the reputations of health care companies, but they have burned holes in their wallets too.

Cyberattacks now cost the U.S. health care industry $6.2 billion annually, according to the yearly analysis by the Ponemon Institute.

Related: Ransomware is health care's newest challenge

These alarming statistics serve as a reminder for all organizations to reevaluate their cybersecurity protocols. Regardless of your company’s cybersecurity budget, increasing your prevention and protection measures can effectively deter cybercrimes.

Here are five primary strategies that every health care business must implement to fight this new epidemic haunting the industry.

Health care providers were the most targeted industry in 2015 for cyberattacks according to IBM data. (Photo: iStock)

1. Implement a cyber risk management program

The speed of technological change in the health care sector is rapid. The pace is simply too explosive for many hospitals and health care providers to adapt to without external assistance. This, of course, requires money and operational support. Therefore, the driving influence for a robust cyber risk management program must come from the board of directors.

The Internet of Things (IoT) has tremendous application within the health care provider community, but it creates significant vulnerabilities as well. Help secure Protected Health Information (PHI) and other sensitive information by creating a risk management infrastructure based on advanced planning, education, training and monitoring for the technological devices in question.

IT managers, risk managers, in-house counsel and compliance officers must be aligned in this area. Create a work group or committee comprised of key leaders in these disciplines to focus on current and emerging issues. A budget for engaging with third parties to conduct vulnerability assessments, social engineering reviews, penetration testing, employee training and education, and general awareness surveys for their employees is essential.

Last year alone, over 100 million medical records were compromised from more than 8,000 client devices in over 100 countries across the globe. (Photo: iStock)

2. Create a data breach response plan

You cannot underestimate the importance of a plan, particularly a robust breach response plan, in the event of a loss of information by breach, extortion, or employee error.

Before creating a plan, know what’s at stake. Hacked organizations can face fines and public scrutiny that can destroy a reputation built on decades of trust. A breach can also lead to lost productivity in addition to lost revenue and the potential exposure of confidential patient information. As seen in recent cases of ransomware, a type of virus that can infiltrate a computer system and demand a ransom in exchange for control of the system, the hospitals targeted were forced to revert to business continuity plans and IT down time procedures like manual record keeping, scheduling and billing.

Health care companies must have a response plan in place to mitigate these effects. Successful cybersecurity response strategies are all about repetitive training. Your primary objective when designing an incident response strategy is to create an actionable plan. Your strategy should account for places, employees and procedures, and should be applicable to multiple situations.

Be inclusive in your employee education and communication before and during your response. Include your software developers, call centers, physicians, and other critical third parties in all training sessions.

Your employees should also be trained on what actions they can take to prevent a breach. For instance, they should be taught to identify email scams and know when not to mix personal devices with work tools.

Social engineering or “deception fraud” is a commonly used and very simple method of tricking people into disclosing sensitive data like Social Security numbers. These confidence schemes use various techniques such as phishing and pretexting, impersonation that may result in financial loss. Companies of all sizes are targeted every day.

Since October 2009, there are nearly 1,600 cases of health-related breaches impacting over 500 people. That’s almost 195 annually for the past eight years. (Photo: iStock)

3. Secure your technology

With the expanding use of smartphones, gadgets, wearables, and mobile devices, it’s imperative to preemptively encrypt all of a company’s mobile assets and allow remote wiping if the device is lost or stolen. If employees transact business on mobile devices, companies should make sure they download high-tech mobile apps, such as Good Technology or IronBox Secure File Transfer, which can provide a level of security for company devices.

Any apps used by your company should come from a reputable firm and be thoroughly vetted by an in-house IT department.

The true number of actual breaches in health care and other industries could be much larger than what has been reported. Sometimes, breaches happen without raising any flags. (Photo: iStock)

4. Know your risks

It is important to note that there is no “off the shelf” policy that will address all risks. The hospital or health care provider should take the extra steps to first identify their current and emerging risks such as what devices and software solutions they currently use as well as those contemplated in the future. Next, they should create appropriate policies and procedures for mitigating the inherent risks.

Given the pace of technological change and the seemingly endless number of bad actors that want health care data, it is essential to hire a third party to conduct a penetration test and attempt to hack into your system.

This is a great way to find out if your company is effectively using its security technologies. It will also allow you to see if your company is vulnerable and where your system may have weaknesses. Have a third party conduct social engineering exercises to test the weakest link in your security chain — your staff. In this case, a social engineering attack would involve tricking people into breaking normal security procedures by using a sudden sense of urgency.

Scammers, for example, will call the authorized employee with some kind of urgent problem that requires immediate network access. To prevent this from happening, employees must remember to never feel rushed to give out confidential information by email or phone. Many scam artists will rush the process so that they can get what they need quickly without any background check.

Human error is the leading cause of creating openings for hackers to leverage. A thorough IT vulnerability assessment can help you understand whether your security policies and awareness programs will actually prevent outsiders from obtaining valuable information or confidential patient data directly from your employees.

According to the 2013 Ponemon “Cost of a Data Breach” report, mediating a breach costs in the range of $233 per comprised health record. (Photo: iStock)

5. Create a customized insurance policy

The best way to ensure your assets are protected is to create a customized insurance response and make sure it’s well communicated throughout the enterprise. Cyber liability insurance is not standard and can come with procedure requirements and significant exclusions. Knowing your insurance will help avoid claim denials. Hold a detailed planning session with risk management, IT, senior leadership and your risk advisors, perhaps as a part of your enterprise risk management (ERM) process, to determine the specific protections your organization needs.

This approach must be continually deployed as new technologies, such as BYOD (bring your own device) and wearables, hit the health care industry.

Hospital risk managers and clinicians are familiar with the “plan, do, check, act” approach to risk management. These same basic concepts apply when creating the right insurance plan. If making the organization look less attractive to the “bad guys” prevents one intrusion, hack or ransom, the investment of time and money will be time well spent.