There has been a lot of information all over the news about recent large breaches in the healthcare industry. Millions of individuals have been affected by these breaches in the healthcare industry. The healthcare market is the hottest place for cyber-criminals to attack. There are many reasons for this… the simplest reason is they are the easiest target to hit. The lack of resources, experience and information security awareness training play a major role in why healthcare organizations are being targeted and successfully hit by these cyber-criminals.
“Organizations in the healthcare space are not playing their ‘A game’ in terms of security and data protection,” said Larry Ponemon, founder and CEO of the Ponemon Institute. “There are some exceptions, but generally speaking, healthcare providers either lack the resources, staff or the technical innovations to meet the changing cyber-threat environment.” (http://www.nbcnews.com/tech/security/health-industry-cant-protect-your-records-hackers-report-n355401 5/8/2015)
For those of you who are not already in the know on the subject, the Ponemon Institute conducts independent research on privacy, data protection and information security policy. Their 2015 Study on Privacy and Security of Healthcare Data is based on information provided by healthcare organizations large and small, as well as related businesses that often deal with healthcare records. The report concluded that no healthcare organization, regardless of size, is immune to a data breach. And in fact, half of all the organizations surveyed have “little or no confidence” in their ability to detect every theft or loss of patient data.
Other key findings:
- 91 percent of the healthcare organizations surveyed had one data breach during the past two years; 39 percent experienced two to five breaches and 40 percent had more than five!
- Data breaches are costing the healthcare industry $6 billion a year!
Cases of medical identity theft have nearly doubled in the last five years, from 1.4 million adult victims to more than 2.3 million in 2014. (http://www.nbcnews.com/tech/security/health-industry-cant-protect-your-records-hackers-report-n355401 5/8/2015)
The “Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data” by the research firm Ponemon Institute concludes that criminal attacks in healthcare are up 125 percent since 2010. Cybercriminal incidents involving external and internal actors were the leading cause of a data breaches over the past two years, the study shows. In previous studies, lost or stolen computing devices had consistently been the top breach culprit. (By Marianne Kolbasuk McGee, May 6, 2015. Healthcareinfosecurity.com)
All of this news coupled with the findings from the original pilot HIPAA Audit Program illustrates that there is a strong need for healthcare organizations to strengthen their information security posture and programs. This is an area that is critical to protecting the American Public.
Most telling is the fact that Medical Records are now more valuable to cyber-criminals than credit card information. Rick Kam, U.S. president and co-founder of security software vendor ID Experts, which sponsored the Ponemon study, tells ISMG that stolen healthcare information is currently valued at about $60 to $70 per record by ID theft criminals, while the current value of credit card information is about 50 cents to $1 per record. “We see recognition of medical ID theft being a problem, but we don’t see many healthcare providers stepping up” in addressing the issue, he says. The Ponemon study found that nearly two-thirds of healthcare organizations and business associates do not offer any medical identity theft protection services for patients whose information has been breached.
The Ponemon study found that information most often stolen in these targeted healthcare sector attacks include medical files and billing and insurance records. (By Marianne Kolbasuk McGee, May 6, 2015. Healthcareinfosecurity.com)
There are steps you can take to gain a better security posture and ensure that if you do suffer an attack or breach, you will be able to respond effectively. If you are a healthcare organization, keep in mind, you are required under HIPAA regulations to complete periodic, thorough and comprehensive Security Risk Assessments. This will allow you to gain a better understanding of your strengths and weaknesses in regard to securing patient information. Furthermore, you are required to have a risk management plan in place that include having a security risk analysis completed annually as part of your process as well as an incident response plan.
The more thorough you are the better off your institution will be. This will result in your practice being better positioned to withstand malicious activity and regulatory scrutiny. Having a risk management plan in place, completing annual risk assessments and following through on mitigation plans will have several positive impacts on your practice. It will decrease the likelihood of downtime and its impact on patient care. Moreover, it will reduce the risk of a Data Breach, along with the associated penalties and negative publicity. A data breach may have lasting impact on your reputation, as well as the overall confidence a prospective patient may have in your practice. A solid risk assessment will ensure you are compliant with HIPAA/HITECH and the CMS Incentive Program mandates.
Here are some things to keep in mind as you review your physical, administrative and technical safeguards as part of your risk assessment.
From a physical standpoint, be sure to check on the following key aspects of your environment:
- external door locks and alarms
- emergency water and power shut off
- smoke alarms and fire extinguishers
- internal locks or monitoring for secured areas
- server or wiring rooms
- paper charts (where and how they are stored)
- medication closest or cabinet and locks
- laptops and workstations
- patient and visitor logs
- internal separation between front office and back office
Administrative safeguards that need to be reviewed include your policies and procedures. This is an area that is often overlooked. Having a policy or procedure in place does not meet regulatory requirements. You should have a documented, written policy, backed up with standards and procedures that all employees understand. Per HIPAA, there are numerous requirements that must be met and each one of these criteria has specific implementation requirements that must be documented. Your workforce clearance policy may say how you provide clearance to your employee. It must also include whether or not you complete background checks, what type of check you do, whether you re-screen and how frequently you do so. The policies and procedures you have in place will guide how you protect PHI.
When reviewing your technical safeguards, please keep in mind that some of these will also be covered in your administrative safeguards – including your information security policies. Please keep in mind that new threats evolve on a daily basis from viruses, malware and the like, but you also need to take the human factor into consideration. Phishing is growing more and more prevalent and you must inform your workforce on these threats and how to handle them appropriately. You must also monitor your logs, keep up to date with security updates, patches and antivirus software.
Encryption is also a critical concern. Of the breaches that have led to large fines over the last few years, nearly all of them included an unencrypted piece of machinery and failure to complete a thorough and comprehensive security risk assessment. The only way to ensure you are protecting PHI in the case of a lost or stolen device is to have Full Disk Encryption that meets the NIST standard definition. Although there are alternative measures available, the only acceptable way to ensure protection is Full Disk Encryption. There are many options available to you regarding encryption, look into the options that best meet your practices needs and financial considerations.
In a world where cyber-criminals are attacking in greater frequency across a broad range of industries, it is vitally important that healthcare organizations take the appropriate steps to mitigate the likelihood of breaches. Medical Records are selling for $60.00-70.00 per record and credit card information is $0.50-1.00 per record, the risk is greater than ever before and not likely to go away. It is time for healthcare organizations to bring their information security “A” game.