Safeguard Protected Health Information Because It is Valuable Currency to Cybercriminals
The digitization of medical care has become a double-edged sword, making it challenging for organizations to safeguard protected health information.Healthcare providers like Kaiser Permanente have used medical records to improve standards of care and communication for their members, but not all organizations have been so deft at embracing the digital era. .
In 2015, the National Committee for Quality Assurance found that Kaiser Permanente ranked first in 21 different healthcare quality measures, more than any other health plan in the country. Kaiser’s quality of care is due in no small part to its sophisticated medical records system. But while electronic medical recordkeeping has been a benefit for Kaiser, electronically safeguarding protected health information has been a challenge for other organizations.
Healthcare Hacks Are a Cautionary Tale
The 2015 hack of the largest health insurance company in the U.S. was an excellent example of the risks associated with the digitization of protected health information. The February 2015 Anthem hack affected up to 80 million people and may have been going on for as long as ten months.
Although Anthem says no medical information was compromised, that’s a small consolation for the millions of people whose Personally Identifiable Information (PII) like Social Security numbers, medical ID numbers, names, dates of birth, and other personal information was stolen. Not only is their stolen information a risk for identity theft, it also puts them at risk for several nasty cybercrime consequences.
In incidents like this one, the initial hack and theft of data is just the start of the cybercrime cascade. The information gained in this kind of security breach gives cybercriminals the opportunity to make money from selling the stolen data in booming Dark Web data markets. It also empowers them to use it as fuel to launch a barrage of phishing attacks in the wake of the data breach.
The medical industry has long lagged behind other industries in its use of technology and now finds itself playing catch up. Especially now that healthcare data has become so valuable, the fragmentation and ad hoc nature of the medical records and health technology ecosystem is dangerous. Cybercriminals know that this is the ideal time to target health organizations, when they’re both overburdened and understaffed – and they’re not hesitating to take advantage of the opportunity.
4 Steps to Safeguard Protected Health Information
So, what can healthcare providers do to minimize risk for both their businesses and their patients? Take these four steps to safeguard Protected Health Information (PHI).
1 – Conduct a Risk Assessment and Implement a Risk Management Program
This isn’t just a good idea, it’s a requirement under the Health Insurance Portability and Accountability Act (HIPAA.) Healthcare organizations should assess and address security vulnerabilities. The experts at ID Agent can help make sure that you’re covering all of your bases.
Even a small healthcare practice needs to have basic plans in place for how to handle a breach or other cybersecurity incident. Take the time to make an Incident Response Plan now, because you don’t want to be scrambling to figure things out in the middle of a cybersecurity crisis.
2 – Electronically Safeguard PHI
Electronic patient medical data should also be secured with a powerful secure identity and access management solution like Passly. While multifactor authentication is not a legal requirement for healthcare providers under HIPAA, it is both a cybersecurity and compliance best practice. Passly provides that tool as well as other security safeguards in one affordable, multifunctional package.
Taking care to safeguard access points is also a smart idea to provide stronger protection against cybercrime like credential stuffing and phishing. Passly offers single sign-on with personalized user LaunchPads, making it easy to add or remove access to systems and data quickly in the event of an incursion.
3 – Monitor the Dark Web to Identify Any Breaches Immediately
Cybercriminals operate a thriving black market for healthcare stolen information. Healthcare organizations should implement threat intelligence solutions that include Dark Web monitoring, like Dark Web ID. In the previously used example, notice that Anthem’s data may have been exposed for up to ten months, which is not just dangerous for their business, it’s also dangerous for businesses that have third party relationships with Anthem..
The legendary Verizon data breach was discovered when it was offered for sale on a Dark Web cyber forum. Because Verizon discovered the breach relatively quickly after it occurred, it was able to take steps to address its security vulnerability. That’s the most important reason that you should consider adding Dark Web ID immediately. Finding out about an exploitable security vulnerability like compromised credentials before the bad guys do can save your company a fortune.
4 – Conduct Cybersecurity Training for your Employees
Most data breaches originate within the organization being breached – 67% of data breaches originate inside the breached organization. Make cybersecurity training including phishing resistance training with a solution like BullPhish ID that offers consistently updated training on the latest threats a central part of your data protection strategy. Not only should it be part of your onboarding process for all new employees, remember that effective security awareness training requires at least quarterly maintenance to ensure that your staff is both retaining that training and aware of latest cybercrime tactics.
Why is this important to your healthcare organization? Because just one data breach can be financially devastating,not to mention a nightmare of regulatory scrutiny. In one study, the average cost per breached data record was assessed at $363. Although Anthem has never disclosed the cost of its 2015 data breach, it’s not hard to imagine that it was in the tens of millions of dollars – even before regulators dropped the fine hammer on them.