The healthcare sector accounted for the largest share of analyzed breaches in 2020. From January to October, more than 700 breaches resulted in 22 billion records exposed.
And yes, while a chunk of that number is due to the massive shift to remote work, the healthcare industry is particularly vulnerable because of information value. Medical records are reported to be worth 10 times more than credit card numbers on the black market. These records contain a treasure trove of information: full name, address history, social security number—essentially enough information to take out a loan or set up a line of credit under the stolen name.
Pair this with an increasing number of interconnected devices within the health field, and it’s no wonder that hackers gravitate toward it. Cyber attacks are happening more frequently because organizations are sharing more information across devices and with third party vendors. They’re digitizing patient data and moving it to cloud services without double checking the security sticking points in doing so.
It begs the question: What can be done to protect your practice from a cyberattack?
HIPAA and ransomware
The Health and Human Services Office for Civil Rights (OCR), the entity tasked with enforcing HIPAA guidelines, is trying their best to protect patient records from cybercriminals. They finalized the HIPAA Omnibus Rule in 2013 (the most recent addition to HIPAA guidelines). This rule contains edits to security, privacy, breach notification, and enforcement rules to enhance confidentiality and security in data sharing.
In essence, the OCR updated the HIPAA guidelines in an attempt to better protect health information that was at risk from being exposed. This is typically due to poor protection practices from healthcare organizations, such as using old, legacy tools that can’t keep up with cybersecurity needs. But HIPAA has its limitations in serving as a cybersecurity tool, and considering the newest addition was written in 2013, threats have greatly evolved since.
Almost half of breaches in the healthcare sector are caused by ransomware.
The HIPAA Journal cites the reason: The healthcare industry has a higher probability of paying that ransom than other industry sectors. Providers need to restore access to patient data ASAP to continue to care for patients. Factor in patients needing COVID care back in 2020, and the probability skyrockets.
Here’s a few tips the HIPAA journal gives to combat ransomware. We’ll go into more detail about preparations your practice should make further down below.
- Don’t click on a phishing email. If you don’t know what that looks like, read this.
- Have security professionals search for Trojans on the network.
- Implement regular employee training to identify social engineering attacks.
- Increase security monitoring over the weekend, as many attacks commonly occur on the weekend and holidays because cybercriminals know monitoring is likely reduced at these times.
3 measures to combat a cybersecurity breach
While the stats aren’t pretty, it is possible to defend against cyberattackers by following this advice.
1. Establish a security culture
No matter how secure your network is, it’s only as secure as its weakest link. And in most cases, the weakest link is the user. This stems from a lack of awareness about threats and vulnerabilities, leading to jeopardized information.
Your healthcare practice should instill and support a security-minded organizational culture. This looks like frequent and ongoing education and training, ensuring people managers are setting a good example in regards to security practices, and taking responsibility for information security.
Work to overcome the perception that a security breach only happens to other people. Security practices must be built into the organization, not bolted on.
2. Plan for the unexpected
When it comes to cybersecurity, smartly preparing means expecting the unexpected. Two keys to do this:
- Create backups of your patient data
- Have a sound recovery plan
Healthcare data backup and recovery are critical components of the heath IT infrastructure. It’s not a question of if you’ll need it, but when.
The general rule for backing up data is to have at least three different copies of the backup stored on two different types of media—with at least one of the backups held offsite. Examples include using a physical medium, such as a magnetic tape or removable hard drive, and storing copies of data in the cloud.
Cloud-based backup is necessary for keeping data available to end-users if a cyberattack were to occur. This plays into the recovery plan, giving the organization the reactionary capability to switch over to the recovery data quickly.
Many vendors offer both backup and recovery services. When choosing a backup and recovery tool, look for one that offers the least amount of disruption to existing IT infrastructure, such as NovaBACKUP, which is HIPAA compliant.
3. Invest in IT security personnel
Ultimately, a network is more secure when all individuals accessing the network can be identified and tracked. This is why it’s important to know who is on your network, when they’re on it, why they’re on it, and what they’re doing on it.
This is why it’s important to have a dedicated security IT professional for your healthcare practice. It’s their job to monitor the access points, ensure end-users have only the minimum amount of access required to do business, and work to identify all potential weaknesses in third party relations.
With most networks having multiple unsecured entry points, a plethora of cloud-based services, and many connection devices, the attack surface is large and inviting. And it’s why you need someone manning the fort full-time.
Prepare with cybersecurity software
One of the best investments in securing your healthcare practice is security software. If you’re looking for ways to better defend against a cybersecurity attack, use our Product Selection Tool to find systems that are tailored to your requirements.