Avoiding Healthcare Data Breaches - Practical Security Measures
February 12, 2020
While there are many compelling reasons to be vigilant when protecting PHI (protected health information) and other healthcare data, the Office of Civil Rights (OCR) has a reason that would get anyone’s attention – fines, large ones. In November of 2015, the OCR fined Anthem a whopping $16 million for a data breach that exposed the PHI of nearly 79 million patients. Both the breach and the fine are the largest in their respective categories.
The breach occurred after at least one employee responded to a phishing email. The attack resulted in the names, dates of birth, social security numbers, email addresses, and employment information being exposed to the attackers in a breach that began in early December 2014 and ended in late January 2015.
Managing Increasing Risk - Preparing Healthcare Organizations for an Evolving Threat
While Anthem serves as a painful example of how vulnerable all organizations and their healthcare data are to this kind of threat, they are not alone. The HIPAA Journal’s latest data shows that nearly 39 million patient records were breached in 2019 between the months of January and November - as opposed to the more than 12 million records exposed by breaches in 2018. Phishing remains the tool of choice for cyber criminals targeting healthcare organizations. So, how do healthcare organizations protect themselves from attacks like this?
How Do Breaches Occur and Where Are We Vulnerable?
Because companies are now reasonably well-protected against this type of crime by technology, cyber-criminals have turned their attention to our remaining vulnerabilities– the people who work for those companies and, in some cases the medical devices used in healthcare settings. Most research still shows that as many as 70% of employees may be unable to recognize a phishing attempt.
Phishing is the practice of sending fraudulent emails, purportedly from reputable companies, in order to get people to reveal sensitive or protected data. Up to 70% of all healthcare data breaches can be traced back to a human and in our culture, the easiest way to get to a human is by email. Perhaps it works because many, maybe even most, people have an inherent instinct to help. That trait may be even more prevalent among healthcare workers.
The integration of medical devices, networking, software, operating systems and electronic medical records may ultimately improve the care that is provided to patients, but it has also created new ways in which healthcare organizations are vulnerable to cyber-criminals who can exploit the devices by targeting web servers, database servers or application software.
The Best Defense Against Healthcare Data Breaches – Establish a Culture of Security
The most vulnerable part of any organization is its people, which makes establishing a security culture essential to your defense. Most users probably believe that they would never engage in the kinds of careless computer use that might result in a breach, but when tested, the majority of employees are likely to be rated a security risk. Given the increasingly “slippery” nature of cybercriminals, how should healthcare organizations protect themselves, their patients and their employees?
Given the complicated and evolving nature of the threat, education and training should be frequent and ongoing. As the threat evolves, our training should to. As a guiding principle for healthcare data security, we should try to ensure that the practices that protect our information systems are practiced as rigorously as handwashing.
Protect Mobile Devices and Apps Against a Healthcare Data Breach
Mobile devices have changed the way in which healthcare is delivered and made the electronic transfer of data faster and more efficient, however; they are also easy to lose and are vulnerable to theft. Strong passwords and data encryption are key to cybersecurity for mobile devices and apps.
Firewall and Anti-Virus Software Are Essential for Healthcare Data Security
Unless a system is not connected to the internet, it needs a firewall that is installed, configured, maintained and monitored by IT specialists.
By virtue of the complex nature of computing, systems are vulnerable to viruses, so well-maintained, frequently-updated anti-virus software should be a key component in the fight to avoid data breaches. In addition, fairly innocuous things such as CDs, flash drives, email attachments and web downloads can contain malicious viruses that make systems vulnerable to breaches.
HIPAA Journal (2019, November) November 2019 Data Breach Report – HIPAA Journal, https://www.hipaajournal.com/november-2019-healthcare-data-breach-report/
Use Training to Create a Culture of Security Among Your Healthcare Workforce.