While there are many compelling reasons to be vigilant when protecting PHI (protected health information) and other healthcare data, the Office of Civil Rights (OCR) has a reason that would get anyone’s attention – fines, large ones. In November of 2015, the OCR fined Anthem a whopping $16 million for a data breach that exposed the PHI of nearly 79 million patients. Both the breach and the fine are the largest in their respective categories.
The breach occurred after at least one employee responded to a phishing email. The attack resulted in the names, dates of birth, social security numbers, email addresses, and employment information being exposed to the attackers in a breach that began in early December 2014 and ended in late January 2015.
While Anthem serves as a painful example of how vulnerable all organizations and their healthcare data are to this kind of threat, they are not alone. The HIPAA Journal’s latest data shows that nearly 39 million patient records were breached in 2019 between the months of January and November - as opposed to the more than 12 million records exposed by breaches in 2018. Phishing remains the tool of choice for cyber criminals targeting healthcare organizations. So, how do healthcare organizations protect themselves from attacks like this?
Because companies are now reasonably well-protected against this type of crime by technology, cyber-criminals have turned their attention to our remaining vulnerabilities– the people who work for those companies and, in some cases the medical devices used in healthcare settings. Most research still shows that as many as 70% of employees may be unable to recognize a phishing attempt.
Phishing is the practice of sending fraudulent emails, purportedly from reputable companies, in order to get people to reveal sensitive or protected data. Up to 70% of all healthcare data breaches can be traced back to a human and in our culture, the easiest way to get to a human is by email. Perhaps it works because many, maybe even most, people have an inherent instinct to help. That trait may be even more prevalent among healthcare workers.
The integration of medical devices, networking, software, operating systems and electronic medical records may ultimately improve the care that is provided to patients, but it has also created new ways in which healthcare organizations are vulnerable to cyber-criminals who can exploit the devices by targeting web servers, database servers or application software.
The most vulnerable part of any organization is its people, which makes establishing a security culture essential to your defense. Most users probably believe that they would never engage in the kinds of careless computer use that might result in a breach, but when tested, the majority of employees are likely to be rated a security risk. Given the increasingly “slippery” nature of cybercriminals, how should healthcare organizations protect themselves, their patients and their employees?
Given the complicated and evolving nature of the threat, education and training should be frequent and ongoing. As the threat evolves, our training should to. As a guiding principle for healthcare data security, we should try to ensure that the practices that protect our information systems are practiced as rigorously as handwashing.
Mobile devices have changed the way in which healthcare is delivered and made the electronic transfer of data faster and more efficient, however; they are also easy to lose and are vulnerable to theft. Strong passwords and data encryption are key to cybersecurity for mobile devices and apps.
Unless a system is not connected to the internet, it needs a firewall that is installed, configured, maintained and monitored by IT specialists.
By virtue of the complex nature of computing, systems are vulnerable to viruses, so well-maintained, frequently-updated anti-virus software should be a key component in the fight to avoid data breaches. In addition, fairly innocuous things such as CDs, flash drives, email attachments and web downloads can contain malicious viruses that make systems vulnerable to breaches.
HealthStream’s learning management system and comprehensive suite of competency management tools empower your healthcare workforce to deliver the best patient care.View All Learning & Performance
When you enact HealthStream's quality compliance solutions, you can do so with the confidence your healthcare organization will meet all standards of care.View All Quality & Compliance
Fulfill compliance requirements with a variety of programs and courseware designed to address critical regulatory requirements as well as educate staff to recognize and mitigate risks.View All Products
HealthStream offers professional training and education on how to best optimize your reimbursement process within your healthcare organization.View All Reimbursement
Improve the preparedness of your staff, increase survival rates, and cut costs with the advanced resuscitation training services from HealthStream.View All Resuscitation
Expand the decision-making skills and effectiveness of your healthcare workforce with HealthStream's clinical development programs and services.View All Clinical Development
Delivers everything you need to request, gather, and validate information about a provider to create a single source of truth for downstream processes.View All Credentialing
Make sure your healthcare staff can schedule out appointments and work schedules with ease using HealthStream's line of software solutions.View All Scheduling & Capacity Management