According to the Department of Health and Human Services (HHS), healthcare organizations are failing to keep patient data secure. Security experts outside of HHS underscore that healthcare cybercrime will increase in 2018 because protected health information (PHI) has become a valuable commodity on the dark web.
Think a credit card is more valuable than healthcare information? Think again! The going rate for a healthcare record in 2018 is currently 1200 bucks! That’s more than 100 times more than the worth of a credit card.
The bottom line: criminals see healthcare as a major way to bank roll serious cash and if you’re not careful your office may be the next unsuspecting victim!
So that you’re prepared in 2018, I wanted to talk about the 10 most significant healthcare information security warnings that most experts believe will happen this year.
- Uptick in ransomware (and ransomware costs)—with the growing number of businesses willing to pay ransoms, criminals continue to exploit unsuspecting offices that do not adequately back up their data. In some instances, the same office has been attacked multiple times simply because they fail to protect and backup their information. Every business, but especially healthcare organizations, need to implement preventative measures to avoid ransom attacks and have disaster recovery plans that adequately address ransom attacks. Some things you should immediately be thinking about: regular tested backups of critical data, smart firewalls to detect suspicious activity, network monitoring, computer patching and user training to avoid scams.
- More vulnerable medical devices—increased connectivity of smart devices online is expected to lead to increased risks in patient data security and privacy. Hacked or breached devices that are connected to the internet may be one easy way for hackers to get onto a device and transmit sensitive medical information (of which compromise patient identities) off network. While medical engineers need to better think device security, your office can help prevent device attacks by having a secure network for your office staff separate from a network guests are able to access and have network monitoring that can pinpoint suspicious activity from each and every device (these are things your IT Support) should be doing, but are commonly overlooked.
- Devices brought to the office will open your network to more breaches—most professions cannot get their work done in 2018 without personal devices. Phones, tablets, and laptops, for example, are all essential tools in the modern workplace. The problem, though, is they move in and outside of your network and can carry and transmit viruses to even secure networks. Your office needs first and foremost to establish a published device policy for users and should limit the extent to which devices are able to access the network. You should also consider whether protected health information is permissible on personal devices—are these devices secure 24/7? Is the data on them encrypted? If not, devices might not be trusted keepers of protected information.
- More insiders are selling patient data—security experts have seen an uptick in sale of personal health data from people working inside of healthcare offices. Since medical records go for big bucks, workers may be tempted to get a little more pocket money to buy that shiny new toy by compromising a couple of patient records. Your organization should have establish access monitoring policies and procedures and enforce noncompliance to these procedures (this is something IT Support teams well-versed in HIPAA compliance should be doing for your office already!).
- More breaches from lack of cybersecurity training and awareness—many healthcare organizations are treating cybersecurity training as a ‘one and done’ or aren’t even training their entire teams on security at all. Without training staff, workers will make mistakes, unexpectedly let breaches happen and give hackers easy ways onto networks. More training and awareness are key components to nipping cybersecurity risks in the bud. When users are able to tangibly understand security risks and why their behaviors affect the security of their patient data, user-initiated breaches are nearly completely eliminated.
- Your business associates are getting targeted—more and more business associates (BAs) that have access to some or all of your PHI are becoming bigger targets for attack. While many healthcare organizations take cybersecurity and HIPAA compliance seriously, they fail to recognize that their secure data may not be that secure once it leaves the confine of their HIPAA compliant network. More often than not, BAs do not have comprehensive information security, do not comply with HIPAA standards and are the sources of data breaches. Your office is a sanctuary of trust and confidence for patients. Can you afford for a BA (even ones that have signed business associate agreements, or BAAs) to risk your PHI?
- Old bugs and vulnerabilities will get exploited—hackers are looking for easy ways into networks. Unpatched systems or other old vulnerabilities that haven’t been mitigated are expected to be one of the easiest ways for criminals to target and exploit healthcare offices. We recommend having a 3rd party security assessment of your network to make sure everything is secure and fix problems associated with unpatched or legacy systems to avoid compromising your PHI.
- Improper disposal of data—huge breaches in the past have come from improper disposal of data. Fax machines, printers, paper data and old computers all hold PHI and are often not wiped before disposal. Many offices fail to ensure that machines were destroyed or that data was properly removed before devices are moved offsite. Your office needs to insure you have policies and processes in place to dispose of data before any device gets moved out of your facilities.
- Increased breaches due from misunderstanding what personal information is—even large healthcare organizations will face ambiguity among staff and business associates regarding what personal health information is. There are countless ways for information to be leaked and HIPAA compliance violated (see my latest book on easy HIPAA compliance and cybersecurity for greater details). Your office needs to ensure information that should be sensitive is consistently treated that way with processes to minimize exposure of data (IT Support should take appropriate actions to ensure your data is safe).
- Non-compliance penalties are on the rise—infractions to incidents mentioned above (and others I outline in my latest book) will result in huge, possible business-ending non-compliance fines and penalties. The Department of Health and Human Services (HHS) has been cracking down on non-compliance with HIPAA-HITECH regulations and are increasing penalties, such as implementation of MACRA policies for Medicare.
Is your office taking all the steps it should to be compliant? Get a copy of Plagued: The CEOs Ultimate Guide To HIPAA and Cybersecurity today to get on track!