Healthcare cybersecurity breaches are on the rise. In 2020, there were nearly 600 data breaches in the U.S. healthcare sector, over 50% more than in 2019. In addition, the average cost per breach is increasing, reaching nearly $500 per breached record.
The cost of a cybersecurity breach isn’t only financial. Healthcare organizations may face state and federal penalties, damage to their reputation, and loss of working hours while they shut down operations to address the breach.
However, the good news is that there are steps organizations can take to protect themselves from the most common causes of healthcare cybersecurity breaches.
Statistics show that data breaches in the healthcare sector are often caused by one of the following five issues.
Phishing is one of the most common and effective scams used by cybercriminals to breach data security in the healthcare sector. In a phishing attack, scammers will send emails to healthcare employees that appear to be from a trusted source. The aim is to trick employees into providing personal information that will allow cybercriminals to access confidential systems. Other phishing scams induce employees to click on links that then install malware. This malware then allows the cybercriminals to steal patient data, usually to either sell it or ransom it back to the victimized healthcare organization.
One of the best ways to protect your organization from phishing is to make sure your employees are well-trained in spotting and avoiding scams. For instance, a security awareness phishing campaign will simulate a phishing attack and monitor how staff respond. You can use the information to identify vulnerabilities and improve your employee training.
Failing to encrypt electronic protected health information (ePHI) is a huge issue in the healthcare sector. In fact, it has been reported that more than 60% of all major healthcare cybersecurity breaches have been caused by lost or stolen devices which contained unencrypted patient data. For instance, in 2019, a single laptop stolen from Health Share of Oregon was revealed to contain the non-encrypted confidential information of more than 600,000 members.
Not only is a lack of data encryption a serious cybersecurity risk, it’s also a HIPAA violation. All healthcare organizations are legally required to use data encryption technology to protect ePHI. To help ensure you don’t risk exposing unencrypted data to cybercriminals, audit all your patient data systems and identify any that currently do not use data encryption. Then, either upgrade your systems to a version with encryption capabilities or, if necessary, switch to a new software platform with the necessary security measures in place.
Too often, healthcare providers fail to think carefully about how to get rid of patient records once they are no longer needed. For instance, in 2020, multiple healthcare organizations were informed that the vendor they had partnered with to securely dispose of patient records had instead dumped the information in an unsecure location. The patient records included the full names, addresses, and Social Security numbers of thousands of former patients.
To help avoid this kind of cybersecurity breach, make sure that your healthcare organization has proper policies and procedures in place that will ensure you dispose of patient records securely. You should also keep a detailed record of all computers and other hardware that stores patient data and follow HIPAA-compliant procedures to dispose of the hardware when it becomes obsolete.
Many healthcare cybersecurity breaches occur when a healthcare provider makes it too easy to access patient data. To better keep your PHI and ePHI safe, use two-factor authentication to add an additional layer of security to patient data. With two-factor authentication, employees will be required to provide two different forms of identification (such as a password and a fingerprint) to access confidential data. You should make sure that this authentication process cannot be disabled by users.
It’s also critical to ensure that you know who can access patient data at all times. HIPAA regulations require you to install an automatic log-off function on any device with access to patient information to help avoid the risk of cybersecurity breaches due to a simple error of forgetting to log off/log out.
One of the biggest issues when it comes to data breaches is the idea that cybersecurity is a one-time procedure rather than an ongoing set of systems, processes, and training.
For instance, healthcare organizations may fall into the trap of using outdated IT systems that are no longer being actively patched and maintained by the developer, such as Windows 7 or Windows Server 2008 R2. Other errors include using outdated anti-malware or anti-virus software. Risks can also creep in if organizations switch to a new IT system, adding new staff members, and change operational procedures without updating security protocols accordingly or providing staff security training.
One of the most effective ways to avoid cybersecurity breaches from the usage of outdated systems or following poor processes is to conduct routine security assessments. A comprehensive security risk assessment should evaluate your entire patient data infrastructure, including the following:
Regular security assessments should help you identify potential areas at risk of a cybersecurity breach so that you can address them promptly.
Cybersecurity breaches are a serious and growing risk for healthcare providers. However, by taking a proactive approach to data security, conducting regular security assessments, and making sure all staff and business associates are aware of the correct procedures to follow, you can better keep your patient data safe.
At Medicus IT, we know that it can be tough for busy healthcare organizations to keep up with the growing challenges of cybersecurity. However, if you don’t keep your systems, processes, and employee training up to speed, you risk exposing your patient data to a breach, harming the reputation of your organization and possibly forcing you to face significant financial losses.
The Medicus IT team of healthcare technology experts specializes in helping healthcare organizations tackle security challenges while meeting requirements, allowing you to focus more on your top priority: your patients’ wellbeing. If you’d like to find out how we help organizations like yours, please get in touch.