News of a Healthcare security breach or ransomware incident has become almost commonplace. Hackers have developed increased proficiency in identifying and exploiting security vulnerabilities in healthcare IT security, and environments that are otherwise considered “HIPAA compliant” are certainly not immune. Protected Health Information (PHI) is a juicy target for hackers because it provides huge payoffs on the “dark web”, where hackers openly promote themselves and their stolen wares.
These attacks can cost healthcare providers millions of dollars, not to mention generate negative publicity and reputational damage that can be difficult to recover from. Breaches can also instigate OCR investigations, as well as incur additional costs such as credit monitoring fees for affected residents. According to a May 2015 Ponemon Institute study, criminal attacks on healthcare data are up 125% compared to five years ago, and the average cost of a data breach for healthcare organizations is estimated to be more than $2.1 million.
Healthcare providers have a legal and ethical duty to protect patient information. As a provider, you already know that HIPAA law requires you to institute administrative, physical and technical measures to safeguard against unauthorized use and disclosure of PHI. But HIPAA compliance does not necessarily make you immune to hackers. So how can you best protect your EPHI?
- Recognize the risk. No organization is impervious to cyber-attack. The number of incidents that evade traditional security defenses are increasing at an alarming rate, and with the growing prevalence of Electronic Health Records, the playing field has become even more enticing to scammers. True cybersecurity requires preparation, vigilance, and a proactive game-plan.
- Monitor data movement in your electronic health record system. Scrutinize physical and system access. Analyze work station usage. Audit and monitor system users. In short, implement and practice a vigilant monitoring system that allows you to immediately and continually identify and investigate abnormalities.
- Encrypt your EPHI. Encryption uses mathematical formulas to scramble data, making sensitive details desirable to hackers unreadable without a decryption key or code. Encrypting data can prevent sensitive information from being compromised in transit or at rest, and is critical in light of the high incidence of lost or stolen disks, tapes, laptops, USB storage devices, and/or smartphones. Hackers often use mobile devices as “the way in”, and if one mobile device is compromised, the EHRs on the server could be at risk.
- Conduct frequent vulnerability and penetration testing. Penetration testing can identify and exploit vulnerabilities in an effort to determine the likelihood of real-world threats against an organization’s IT assets and physical security. Successful testing will simulate the practices and methods of external or internal agents attempting unauthorized data access. Immediately address and correct all security gaps identified in the testing.
- Invest in employee security awareness training. Employee carelessness, forgetfulness and/or lack of knowledge can create a huge gap in an otherwise secure setting. Make sure your employees understand the mechanics of spam, phishing and malware. Test the success of your training by initiating your own internal phishing expeditions to attempt to solicit information from your employees. Hackers often masquerade as a trustworthy entity, such as an organization’s CEO, to prey on unsuspecting or unknowing employees who they hope are too busy to pay attention to the details.
Finally, don’t underestimate the complexity of IT Security. Complex, ever-changing regulations, increased vulnerabilities, implementation of new technologies and changes in business processes can make it difficult to stay in front of emerging threats. Consider hiring a compliance partner to help navigate the process by designing a customized approach based on your organization and tailored to meet your specific regulatory requirements and state statutes.
BlueOrange Compliance has been providing privacy and security assessments, remediation and guidance since the inception of HITECH, and has over 50 years of experience in technology security, compliance and healthcare. Our national client base consists of hospitals, physician provider practices, Nursing Facilities, LTC Pharmacies, LPCs, CCRCs, homecare, hospice and business associates. If you want to learn how BlueOrange Compliance can help you turn HIPAA complexity into HIPAA compliance, visit us at blueorangecompliance.com.