When it comes to cybersecurity for healthcare, you can't be too careful. After all, there were nearly 600 reported data breaches in the healthcare sector in 2020. That's up more than 55% from 2019. And the U.S. Department of Health and Human Services Breach Portal recorded 325 new data breaches affecting at least 500 pieces of protected health information (PHI) in the first half of 2021 alone.
Healthcare data is of particular interest to cybercriminals. Confidential patient information is one of the most valuable forms of data on the black market, which is helping drive an ever-increasing number of cyberattacks. Experian reported that stolen medical records fetch up to a $1,000. That’s 200x the value of a credit or debit card with a CVV number.
However, while most healthcare practices are aware that they need to handle their patient data with care, many data breaches in the healthcare sector are the result of human error and mistaken beliefs. These common oversights place practice, ambulatory surgery centers (ASCs), community health centers, and other healthcare organizations at risk of experiencing cybercrime — a threat that we take seriously at Medicus IT.
Misconceptions About Cybersecurity for Healthcare
Let's examine four beliefs underlying common mistakes that expose healthcare practices to targeting by cybercriminals and explain what you should do instead.
1. "We're too small for cybercriminals to bother with."
Too many healthcare organizations assume that cybercriminals are only interested in targeting large organizations, such as hospitals, health systems, and major healthcare software vendors.
Nothing could be further from the truth. While the cybercrimes that make the news usually involve big players, one in every three healthcare data breaches affect smaller organizations, such as physician practices and ASCs.
Why? Smaller organizations tend to have a few factors working against them which can make them potentially easier targets for cybercriminals to target. For example, smaller organizations may struggle to keep current with the latest threats and challenges, may lack cybersecurity posture maturity, do not know about or are not using the right cybersecurity tools, and may have smaller cybersecurity budgets. Unfortunately, many small organizations compound the problem by not prioritizing cybersecurity.
However, if you take cybersecurity for healthcare seriously, even small healthcare organizations can afford to take steps to better protect their sensitive patient data. Understanding and following HIPAA guidelines is a great place to start. This HIPAA compliance checklist will help you reduce your risk of data breaches and better ensure sure you remain HIPAA compliant.
2. "I'm sure all our security software is more or less up to date. We did that big update just a few years ago."
Healthcare practices are busy places, so it's no wonder that security updates aren't always at the top of the priority list. However, technology is changing fast, and cybercriminals are constantly working to bypass security. To keep up, software vendors release frequent security patches and updates to their solutions. If patching is not performed in a timely manner, outdated patching is more susceptible to cyberattacks and data breaches.
In other words, never assume that your patching and updates are current. Make certain that you have processes to install updates regularly and verify that they happened. Regular security assessments aren't only a requirement for HIPAA compliance; they're also a great way to spot non-compliant security patching and updates that could also make you vulnerable to a cyberattack.
3. "We have annual compliance training, so all our employees know how to properly look after patient data."
A report by Egress found that about 60% of IT leaders expected to experience an accidental data breach within a year, and about 80% of these leaders said that employees had placed sensitive data at risk. Healthcare organizations are particularly vulnerable to data breaches caused by human error. While Verizon's 2021 Data Breach Investigations Report notes that "the healthcare sector has seen a shift from breaches caused by internal actors to primarily external actors," the most common error leading to data compromise continues to be the misdelivery of electronic and paper documents
Many practice managers are under the impression that annual compliance training is enough to keep their organization safe. Unfortunately, cybersecurity for healthcare is complex and constantly evolving. A one-off, once-a-year training event is simply not enough to keep healthcare data safe.
One of the most important healthcare and cybersecurity best practices is building a "risk-aware culture." Employees must learn how to spot and respond to threats of cyberattacks. One way to help achieve this is to provide security awareness campaigns on an ongoing basis, and sometimes during a normal working day.
For example, a simulated phishing attack will reproduce a typical phishing attempt and track how employees respond. This will help you to raise awareness with employees, provide extra training to any individuals who fell victim to the simulated attack and keep cybersecurity top of mind.
4. "It's cheaper and easier to upgrade all our computers and laptops every few years instead of paying for ongoing maintenance and support."
Hardware, such as computers, laptops, and tablets, can also be a source of significant risks to healthcare cybersecurity. There are multiple reasons why, including the following:
- Security upgrades may cease to support older devices, meaning that these devices would no longer have the ability to update and/or patch the latest version of the operating system. This could lead to an exploitable vulnerability
- The longer a device has been on the market, the more opportunities cybercriminals have had to discover vulnerabilities.
- Some hardware, such as laptops, tablets, and flash drives, are extremely vulnerable to physical theft. A dermatology practice was once fined $150,000 for the loss of a flash drive that contained unencrypted patient health information. Worse, a cardiac monitoring vendor that had a staff laptop stolen from a parked car was fined $2.5 million by the federal government.
- Some healthcare practices are unaware of how to safely scrub and dispose of hardware containing patient data, thus placing that data at risk even after the devices are no longer in use.
The best solution for many healthcare organizations is to stop buying hardware as needed and instead switch over to a hardware as a Service (HaaS) model. With HaaS, you pay a managed services provider (MSP), such as Medicus IT, to handle all your hardware upgrades and perform maintenance and management of all devices. Taking this step will mean that your hardware is more secure and always updated.
Switching to a HaaS model can also save you significant time and money in the long run. Instead of buying hardware in a rush when something breaks, your MSP will be responsible for finding and purchasing the hardware you need. And instead of paying a premium for emergency IT maintenance, a HaaS model makes such maintenance more cost-effective and while likely reducing costly operational downtime.
Healthcare and Cybersecurity: Taking Charge
Cybersecurity for healthcare is an ongoing challenge. The fallout from a breach can be substantial, from fines to the cost of risk mitigation for patients to the overall damage to an organization's brand and reputation. A breach can force a healthcare organization to shut down operations for multiple days or much longer. In fact, some organizations have even ceased operations.
That's why healthcare organizations must understand and follow cybersecurity best practices to reduce the likelihood of cybercriminal success. One of the best of the best practices is to partner with a healthcare-managed services provider that can deliver products and services which address security vulnerabilities and strengthen an organization’s cybersecurity posture. To learn how Medicus IT is doing just that and more for practices, ASCs, community health centers, and other healthcare organizations nationwide, contact us by clicking here.