Not long ago, hackers focused on stealing financial data. The digitization of financial transactions brought heavy regulation and security to protect those transactions, but thieves still found ways to steal things like credit card numbers to sell on the dark web. Now, online criminals have turned their attention to more valuable digital data: your electronic healthcare records.
Why? Because, while there will always be a market for stolen financial information, the information sells cheaply. If you find out a hacker stole your credit card number, you call your bank and cancel the card. If someone steals it and tries to make large or strange purchases across the country, your bank shuts the card down and calls you about suspicious activity. Credit card theft won’t disappear, but it simply isn’t as profitable as it used to be for criminals.
Now, hackers want healthcare records. Compared to as little as $1 for a credit card number, patient records can sell for up to $1,000 on the dark web, depending on the information in the record. This data is valuable. Cybercriminals can use your healthcare records to make fraudulent insurance claims for fake procedures at fake hospitals.
Demand is high, and supply is ready to match. From 2009 to 2020, there were 2.7 billion healthcare records stolen, lossed, or disclosed without authorization, according to the HIPAA Journal. That number is roughly equal to 82 percent of the United States population.The largest healthcare hack to date, the infamous Anthem data breach in 2015, affected 78.8 million records and cost Anthem $16 million in HIPAA penalty fines. More recently, a ransomware attack on Blackbaud, a cloud computing vendor used by healthcare entities, affected dozens of healthcare providers and millions of patients. Recent studies show the rate at which hackers target large healthcare entities has continued to increase year after year.
With danger seemingly around every corner, how can you prevent your business from falling prey to a healthcare hack?
- Perform a risk assessment. To make improvements, you must first know where your business stands. Analyze the following categories:
- Blocking and tackling: Look at the basics. Are you understaffed? What are your reporting metrics, controls, policies, and processes? Do you have executive support for security budgeting?
- Compliance: Look at compliance frameworks to drive security decisions (e.g., HIPAA, HITRUST CSF)
- Risk-based analysis: You need multilayered security and a risk-based approach that can correlate events like security incidents across multiple business environments, then rank and respond to them using dynamic information security and IT audit controls
- Review your vendors and customer agreements at least annually. To take care of your data, understand the covered entity and business associate relationships. The Omnibus Rule, passed in 2013 to clarify HIPAA requirements, defined the security standards of information care for vendors in the healthcare industry, such as cloud-based companies that allow medical records to pass through their servers. Ensure your counsel properly vets and reviews all business associate agreements for compliance requirements, and perform a self-assessment against the requirements within your organization.
- Assign responsibility within your organization for compliance management. If you suffer a breach, the regulatory fines can hurt even more than the lost records—up to $50,000 per record lost. Ensure you have separate compliance managers and data privacy officers that are responsible for developing and implementing HIPAA policies and procedures. Review HIPAA section 164.308(a)(2).
For smaller organizations without an experienced security team, a virtual chief information security officer (vCISO) can be a valuable asset to your organization. A vCISO can join your team, filling a security role and making sure you meet all security and compliance requirements.
- Hold security awareness training. Whoever is responsible for security within your organization must thoroughly understand applicable compliance structures, such as HIPAA. This includes security for your own company and communications as well as business associates and covered entity relationships. Security isn’t just an IT problem—everyone, from HR to Sales, plays an important role in security. With phishing and social engineering as the biggest drivers for credential theft, training your employees on how to recognize and respond to these attempted attacks is critical. Contact an organization that specializes in security awareness training to help establish a culture of security in your organization.
- Establish a security framework. Pull everything together to create a sustainable, effective network of security checks and procedures. HITRUST CSF is the most widely adopted healthcare security framework in the United States and is an excellent framework your organization can use to mitigate security risks and establish trust with your patients and partners. HITRUST was established by healthcare and information security professionals to provide a prescriptive framework to simplify security requirements. The benefits of a HITRUST CSF Certification include:
- Decreased risk of data loss or breach;
- Access to ongoing improvement plans with interim assessments;
- Builds trust among stakeholders;
- Staying up-to-date on the latest security risks;
- Differentiates your business from the competition;
- Increases awareness of your current security posture and inherent risk;
- Demonstrates your commitment to managing risk and improving security;
- Reduces unnecessary efforts of responding to third-party questionnaires; and,
- Peace of mind knowing patient data is protected.
HITRUST offers a Readiness Assessment and a Validated Assessment against the HITRUST CSF. A Validated Assessment is conducted by a HITRUST Authorized External Assessor, like BARR, and is the only assessment that produces a validated certification report. The process at each step will vary depending on the size, structure, and maturity of your organization.
Creating a solid IT security infrastructure helps to ensure security throughout the life cycle of your most sensitive data. Establish a great framework through threat intelligence by preparing, protecting, integrating, detecting, and responding to potential and present threats as they arise. Be vigilant in your preparation so you’ll be ready when the time comes.
To learn more about how to protect your organization from security threats, or to get started on HITRUST, contact us today.
This post was originally published on Medical Practice Insider.