How to Prevent a Healthcare Data Breach
07
DECEMBER, 2016
HIT Security
Back in February, the Hollywood Presbyterian Medical Center in California experienced every health CIO’s worst nightmare: it was forced to shut down all of its computers and depend on fax machines and paper records for a week after being hit by ransomware.
But this was just one of many attacks that occurred in the first half of 2016. According to HIPAA Journal, 142 healthcare data breaches, each involving more than 500 records, occurred between January and July of 2016.
And that figure doesn’t come close to representing the full story: According to Ponemon’s Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data released in May, nearly 90% of healthcare organizations had suffered a data breach in the last two years, costing an average of $2.2 million per hack.
In another survey, this one “Health Care and Cyber Security,” conducted by KPMG in 2015, 81% of respondents (healthcare CIOs, CTOs, Chief Security Officers, and Chief Compliance Officers) revealed that their organizations were compromised by at least one cyber attack in the 12 months previous. The remaining 19% of organizations included those who believed their system had remained secure and those who did not know whether their system had been compromised. The same report also found that only 53% of healthcare providers believed themselves capable of defending their organization from a cyber attack after detection.
In case that wasn’t enough, Experian’s 2017 Data Breach Industry Forecast predicts that healthcare organizations will be the most targeted sector for data breaches, with new, sophisticated attacks emerging.
In short: healthcare organizations are at a high risk of having their data security breached and are largely unprepared to defend against it.
“only 31% of healthcare organizations reporting extensive use of encryption”
3 Ways to Prevent a Healthcare Data Breach
But what can healthcare organizations do to prevent (or at least reduce the likelihood of) an attack?
1. Conduct Regular Risk Assessments
Rick Kam, president and co-founder of ID Experts, told InformationWeek’s IT Network there are some 20,000 vacant data security positions open in the healthcare sector. This has likely led to a lack of staff to enact regular preventative measures like risk assessments.
At a minimum, healthcare organizations should be performing an annual HIPAA security risk analysis. Periodic risk analysis is a requirement of the HIPAA security rule; make sure to plan and budget for this in advance.
2. Vet New Cloud And Software Vendors Carefully (and Thoroughly)
When the University of Pittsburgh Medical Center was evaluating cloud services vendors, they wanted to make sure the vendors could protect their data, and so they attempted to circumvent those vendor’s security measures.
They succeeded—and not just once. They managed to access customer data from multiple vendors. Since healthcare organizations ultimately need to remain HIPAA compliant, even if using vendor services, doing thorough security inspections before selecting a vendor is critical to maintaining proper data security.
3. Encrypt Data At Rest
Research conducted by SOPHOS on The State of Encryption Today found that the healthcare sector had one of the lowest rates of data encryption, with only 31% of healthcare organizations reporting extensive use of encryption. Twenty percent said they don’t use encryption at all.
This is especially important for portable devices, such as laptops and other mobile technology devices that may be lost, stolen, or otherwise become unsecure.
Educating End Users and Getting End-User Adoption
Often one of the biggest hurdles with any of these techniques is overcoming end-user resistance. Yet loss or theft of a mobile device or media, and breaches caused by things like users reusing passwords or choosing easily hackable passwords are still very common.
According to HIPAA Journal, of the 142 breaches that occurred in the first half of 2016:
- 48 data breaches were reported as “unauthorized access”
- 43 data breaches were attributed to hacking or network server incidents
- 37 breaches were caused by the loss or theft of devices used to store ePHI or the loss/theft of physical records
- 4 breaches were due to the improper disposal of records
These 142 breaches lead to more than 13 million healthcare records exposed in just the first 6 months of 2016.
This means it’s critical that the health IT team take the time to explain to medical personnel why data security is so vital and how dangerous medical breaches can be to patients—leading to medical identity theft, which can allow the thief to get medical treatment, equipment, or prescription drugs in their name.
Preventing A Data Breach — Will it work?
Taking the time to enact the preventative measures above and to educate employees can help prevent a serious data breach at your organization, but it’s still a good idea to create a plan for what to do should a breach occur. After all, sometimes an apple a day is all it takes to keep the hackers away. But when that doesn’t do the trick, it pays to know where to find a doctor.