News of a healthcare security breach or ransomware incident has become almost commonplace. Hackers have developed increased proficiency in identifying and exploiting security vulnerabilities in healthcare IT security, and environments that are otherwise considered HIPAA compliant are certainly not immune. Protected Health Information (PHI) is a juicy target for hackers because it provides huge payoffs on the “dark web,” where hackers openly promote themselves and their stolen wares.
These attacks can cost healthcare providers millions of dollars, not to mention generate negative publicity and reputational damage that can be difficult to recover from. Breaches can also instigate Office of Civil Rights (OCR) investigations, as well as incur additional costs such as credit monitoring fees for affected residents. According to the 2018 Ponemon Institute study, criminal attacks on healthcare data were up 125 percent compared to the previous five years, while healthcare data breaches cost organizations $408 per record, the highest of any industry.
Healthcare providers have a legal and ethical duty to protect patient information. As a provider, you already know that HIPAA law requires you to institute administrative, physical, and technical measures to safeguard against unauthorized use and disclosure of PHI. However, HIPAA compliance does not necessarily make you immune to hackers. So how can you best protect your ePHI?
- Recognize the risk. No organization is impervious to cyberattack. The number of incidents that evade traditional security defenses are increasing at an alarming rate, and with the growing prevalence of Electronic Health Records (EHR), the playing field has become even more enticing to scammers. True cybersecurity requires preparation, vigilance, and a proactive game-plan.
- Monitor data movement in your EHR system. Scrutinize physical and system access. Analyze work station usage. Audit and monitor system users. In short, implement and practice a vigilant monitoring system that allows you to immediately and continually identify and investigate abnormalities.
- Encrypt your ePHI. Encryption uses mathematical formulas to scramble data, making sensitive details desirable to hackers unreadable without a decryption key or code. Encrypting data can prevent sensitive information from being compromised in transit or at rest and is critical considering the high incidence of lost or stolen disks, tapes, laptops, USB storage devices, and/or smartphones. Hackers often use mobile devices as “the way in”, and if one mobile device is compromised, the EHRs on the server could be at risk.
- Conduct frequent vulnerability and penetration testing. Penetration testing can identify and exploit vulnerabilities in an effort to determine the likelihood of real-world threats against an organization’s IT assets and physical security. Successful testing will simulate the practices and methods of external or internal agents attempting unauthorized data access. Immediately address and correct all security gaps identified in the testing.
- Invest in employee security awareness training. Employee carelessness, forgetfulness and/or lack of knowledge can create a huge gap in an otherwise secure setting. Make sure your employees understand the mechanics of spam, phishing and malware. Test the success of your training by initiating your own internal phishing expeditions to attempt to solicit information from your employees. Hackers often masquerade as a trustworthy entity, such as an organization’s CEO, to prey on unsuspecting or unknowing employees who they hope are too busy to pay attention to the details.
Finally, don’t underestimate the complexity of IT security. Complex, ever-changing regulations, increased vulnerabilities, implementation of new technologies, and changes in business processes can make it difficult to stay in front of emerging threats. Consider hiring a compliance partner to help navigate the process by designing a customized approach based on your organization and tailored to meet your specific regulatory requirements and state statutes.
To learn how BlueOrange Compliance helps healthcare organizations protect against cyber threats, request a free consult.