Three things 2017 taught us about data security in healthcare
Healthcare data is one of the most sensitive forms of personal information that exists. It is also one of the most sought after – and most frequently breached. Protecting this valuable health data is proving to be increasingly challenging, but exploring recurring data breach themes can help organizations to identify where the risks exist, and therefore develop more robust defense strategies moving forward.
1) Ransomware is reaching epidemic proportions
The largest healthcare data breaches that were reported to Office for Civil Rights (OCR) in 2017 were mainly caused by hacking or IT incidents, including ransomware attacks. A survey conducted by HIMSS Analytics found that more than three-quarters of healthcare providers (78%) experienced a ransomware or malware attack in 2017, an 89% increase from the previous year.
Ransomware will continue to be a primary concern for healthcare organizations in 2018, particularly as the dependence on mobile technology and connected devices increases, leaving organizations even more vulnerable to potential attacks.
In recognition that the healthcare industry is becoming more susceptible to ransomware attacks, OCR has issued a set of HIPAA compliance guidelines to help organizations better understand and protect themselves from ransomware threats. This helpful fact sheet can be found at https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf.
2) Insider threats still a major issue
Insider threats accounted for 96 incidents, or 41% of data breaches in the first half of 2017 alone, resulting in more than 1.17 million breached patient records.
Whether stemming from intentional malicious activity or accidental negligence, insider threats are not as common as external attacks, but they do usually pose a much greater level of risk for organizations because they are caused by trusted insiders who have direct access to vast quantities of sensitive data. To make these matters worse, insider threats are costly to remediate, with 53% of companies estimating remediation costs of $100,000 and more, and 12% estimating costs greater than $1 million.
Insider threats will remain a major challenge to healthcare organizations in 2018, but a defense strategy can be developed through sufficiently training employees on how to recognize and report potential insider threats, and encouraging them to develop a culture of security so individuals are less likely to become a threat.
3) Smaller practices in the firing line
Small practices may be considered unlikely targets for cyber criminals but this thinking only leads to a false sense of security. The 2017 Data Breach Investigations Report (DBIR) by Verizon revealed that a higher proportion of cyber attacks are targeting smaller organizations, with 61% of data breaches occurring within organizations that have less than 1,000 employees in total. Meanwhile, the National Cyber Security Alliance (NCSA) found 60% of hacked SMBs are likely to go out of business within 6 months.
Often pressured by lack of time, resource, and expertise, a cyberattack can have a devastating effect on a small business. Even for those that survive, the reputational and financial repercussions may be felt for years to come.
Making data security a top priority in 2018
Based on the findings above, here are some tips for improving data security in 2018:
- Educate employees – Train staff to apply caution and make intelligent decisions when handling patient data.
- Restrict access – Restrict sensitive data access only to those users and devices that need it.
- Encrypt and backup data – Make it difficult for attackers to decipher sensitive data when it is in transit and at rest.
- Secure network devices – Update security settings, implement passwords and multi-factored authentication, and enable remote lock and wipe functionality.
- Audit data – Monitor data access and usage in an audit trail to make pinpointing vulnerabilities a quick and easy process, should a network become exposed to a security incident.
- Conduct frequent risk assessments – Identify security vulnerabilities in the network, shortcomings in employee education, or other inadequacies that cause concern.
- Invest in secure technologies – Put an end to non-secure communication, storage, and data management, by investing in HIPAA secure solutions that are built specifically with healthcare in mind.